diff --git a/src/agent/oci/src/lib.rs b/src/agent/oci/src/lib.rs index 079a55e00b..2e3c3f1109 100644 --- a/src/agent/oci/src/lib.rs +++ b/src/agent/oci/src/lib.rs @@ -8,7 +8,7 @@ extern crate serde; extern crate serde_derive; extern crate serde_json; -use libc::mode_t; +use libc::{self, mode_t}; use std::collections::HashMap; mod serialize; @@ -27,6 +27,10 @@ where *d == T::default() } +fn default_seccomp_errno() -> u32 { + libc::EPERM as u32 +} + #[derive(Serialize, Deserialize, Debug, Default, Clone, PartialEq)] pub struct Spec { #[serde( @@ -710,6 +714,8 @@ pub struct LinuxSeccomp { #[serde(default, skip_serializing_if = "Vec::is_empty")] pub architectures: Vec, #[serde(default, skip_serializing_if = "Vec::is_empty")] + pub flags: Vec, + #[serde(default, skip_serializing_if = "Vec::is_empty")] pub syscalls: Vec, } @@ -733,14 +739,20 @@ pub const ARCHS390: &str = "SCMP_ARCH_S390"; pub const ARCHS390X: &str = "SCMP_ARCH_S390X"; pub const ARCHPARISC: &str = "SCMP_ARCH_PARISC"; pub const ARCHPARISC64: &str = "SCMP_ARCH_PARISC64"; +pub const ARCHRISCV64: &str = "SCMP_ARCH_RISCV64"; + +pub type LinuxSeccompFlag = String; pub type LinuxSeccompAction = String; pub const ACTKILL: &str = "SCMP_ACT_KILL"; +pub const ACTKILLPROCESS: &str = "SCMP_ACT_KILL_PROCESS"; +pub const ACTKILLTHREAD: &str = "SCMP_ACT_KILL_THREAD"; pub const ACTTRAP: &str = "SCMP_ACT_TRAP"; pub const ACTERRNO: &str = "SCMP_ACT_ERRNO"; pub const ACTTRACE: &str = "SCMP_ACT_TRACE"; pub const ACTALLOW: &str = "SCMP_ACT_ALLOW"; +pub const ACTLOG: &str = "SCMP_ACT_LOG"; pub type LinuxSeccompOperator = String; @@ -770,6 +782,8 @@ pub struct LinuxSyscall { pub names: Vec, #[serde(default, skip_serializing_if = "String::is_empty")] pub action: LinuxSeccompAction, + #[serde(default = "default_seccomp_errno", rename = "errnoRet")] + pub errno_ret: u32, #[serde(default, skip_serializing_if = "Vec::is_empty")] pub args: Vec, } @@ -1565,9 +1579,11 @@ mod tests { seccomp: Some(crate::LinuxSeccomp { default_action: "SCMP_ACT_ALLOW".to_string(), architectures: vec!["SCMP_ARCH_X86".to_string(), "SCMP_ARCH_X32".to_string()], + flags: vec![], syscalls: vec![crate::LinuxSyscall { names: vec!["getcwd".to_string(), "chmod".to_string()], action: "SCMP_ACT_ERRNO".to_string(), + errno_ret: crate::default_seccomp_errno(), args: vec![], }], }), diff --git a/src/agent/protocols/protos/oci.proto b/src/agent/protocols/protos/oci.proto index 15a3b8f5b9..236230075d 100644 --- a/src/agent/protocols/protos/oci.proto +++ b/src/agent/protocols/protos/oci.proto @@ -441,7 +441,8 @@ message LinuxInterfacePriority { message LinuxSeccomp { string DefaultAction = 1; repeated string Architectures = 2; - repeated LinuxSyscall Syscalls = 3 [(gogoproto.nullable) = false]; + repeated string Flags = 3; + repeated LinuxSyscall Syscalls = 4 [(gogoproto.nullable) = false]; } message LinuxSeccompArg { @@ -454,7 +455,8 @@ message LinuxSeccompArg { message LinuxSyscall { repeated string Names = 1; string Action = 2; - repeated LinuxSeccompArg Args = 3 [(gogoproto.nullable) = false]; + uint32 ErrnoRet = 3; + repeated LinuxSeccompArg Args = 4 [(gogoproto.nullable) = false]; } message LinuxIntelRdt { diff --git a/src/agent/rustjail/src/lib.rs b/src/agent/rustjail/src/lib.rs index 6cdf3d0c54..4b66b8a05c 100644 --- a/src/agent/rustjail/src/lib.rs +++ b/src/agent/rustjail/src/lib.rs @@ -412,6 +412,7 @@ fn seccomp_grpc_to_oci(sec: &grpcLinuxSeccomp) -> ociLinuxSeccomp { r.push(ociLinuxSyscall { names: sys.Names.clone().into_vec(), action: sys.Action.clone(), + errno_ret: sys.ErrnoRet, args, }); } @@ -421,6 +422,7 @@ fn seccomp_grpc_to_oci(sec: &grpcLinuxSeccomp) -> ociLinuxSeccomp { ociLinuxSeccomp { default_action: sec.DefaultAction.clone(), architectures: sec.Architectures.clone().into_vec(), + flags: sec.Flags.clone().into_vec(), syscalls, } }