Skip to content

Add support for seccomp filter flags#733

Merged
utam0k merged 1 commit into
youki-dev:mainfrom
saschagrunert:filter-flag-log
Feb 23, 2022
Merged

Add support for seccomp filter flags#733
utam0k merged 1 commit into
youki-dev:mainfrom
saschagrunert:filter-flag-log

Conversation

@saschagrunert

@saschagrunert saschagrunert commented Feb 23, 2022
edited by gitpod-io Bot
Loading

Copy link
Copy Markdown
Collaborator

Container runtimes like crun already support the flags: containers/crun@fefabff

We now support the flags SECCOMP_FILTER_FLAG_SPEC_ALLOW, SECCOMP_FILTER_FLAG_TSYNC as well as SECCOMP_FILTER_FLAG_LOG and refactor the flag code into the filter context.

@codecov-commenter

codecov-commenter commented Feb 23, 2022
edited
Loading

Copy link
Copy Markdown

Codecov Report

Merging #733 (d837153) into main (673d2e1) will decrease coverage by 0.09%.
The diff coverage is 37.14%.

@@            Coverage Diff             @@
##             main     #733      +/-   ##
==========================================
- Coverage   72.52%   72.43%   -0.10%     
==========================================
  Files          86       86              
  Lines       11740    11763      +23     
==========================================
+ Hits         8515     8520       +5     
- Misses       3225     3243      +18

harche
harche reviewed Feb 23, 2022
View reviewed changes
Comment thread Cargo.lock Outdated
saschagrunert added a commit to saschagrunert/common that referenced this pull request Feb 23, 2022
@saschagrunert
Add support for seccomp filter flags
ca5e983 
crun supports seccomp filter flags since containers/crun@fefabff
runc will get them with opencontainers/runc#3390
youki will get them with youki-dev/youki#733

To support them generally, we now copy the flags during the seccomp
setup, otherwise they will get lost.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@saschagrunert saschagrunert mentioned this pull request Feb 23, 2022
Merged
@saschagrunert
Add support for seccomp filter flags
d837153 
Container runtimes like `crun` already support the flags:
containers/crun@fefabff

We now support the flags `SECCOMP_FILTER_FLAG_SPEC_ALLOW`,
`SECCOMP_FILTER_FLAG_TSYNC` as well as `SECCOMP_FILTER_FLAG_LOG` and
refactor the flag code into the filter context.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
utam0k
utam0k approved these changes Feb 23, 2022
View reviewed changes

@utam0k utam0k left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@saschagrunert
Thanks! 💯

@utam0k utam0k merged commit ab1e6e4 into youki-dev:main Feb 23, 2022
@saschagrunert saschagrunert deleted the filter-flag-log branch February 23, 2022 12:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@utam0k utam0k utam0k approved these changes

+1 more reviewer

@harche harche harche left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@saschagrunert @codecov-commenter @harche @utam0k