github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-15 22:08:47 +00:00
Code Issues Projects Releases Wiki Activity

agent: Add support for Seccomp

Browse Source 
The kata-agent supports seccomp feature based on the OCI runtime specification.
This seccomp capability in the kata-agent is enabled by default.
However, it is not enforced by default: users need to enable that by setting
`disable_guest_seccomp` to `false` in the main configuration file.

Fixes: #1476

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
This commit is contained in:
Manabu Sugimoto
2021-07-16 14:50:58 +09:00
parent 4d4a15d6ce
commit 3be50adab9
11 changed files with 342 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/runtime/virtcontainers/kata_agent.go
View File

@@ -1422,6 +1422,10 @@ func (k *kataAgent) createContainer(ctx context.Context, sandbox *Sandbox, c *Co
sharedPidNs := k.handlePidNamespace(grpcSpec, sandbox)
if !sandbox.config.DisableGuestSeccomp && !sandbox.seccompSupported {
return nil, fmt.Errorf("Seccomp profiles are passed to the virtual machine, but the Kata agent does not support seccomp")
}
passSeccomp := !sandbox.config.DisableGuestSeccomp && sandbox.seccompSupported
// We need to constrain the spec to make sure we're not