oci: Update seccomp configuration

Seccomp configuration should be updated to prepare for the future seccomp support based on the latest OCI specification. Add: - flags which is used with seccomp(2) in struct LinuxSeccomp - errnoRet which is errno return code in struct LinuxSyscall - some new seccomp actions and an architecture Fixes: #1391 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2025-04-29 04:04:45 +00:00 · 2021-02-10 13:52:28 +09:00 · 2021-02-10 13:52:28 +09:00 · 660b047306
commit 660b047306
parent d6682e3168
3 changed files with 23 additions and 3 deletions
--- a/src/agent/oci/src/lib.rs
+++ b/src/agent/oci/src/lib.rs
@ -8,7 +8,7 @@ extern crate serde;
 extern crate serde_derive;
 extern crate serde_json;

-use libc::mode_t;
+use libc::{self, mode_t};
 use std::collections::HashMap;

 mod serialize;
@ -27,6 +27,10 @@ where
    *d == T::default()
 }

+fn default_seccomp_errno() -> u32 {
+    libc::EPERM as u32
+}
+
 #[derive(Serialize, Deserialize, Debug, Default, Clone, PartialEq)]
 pub struct Spec {
    #[serde(
@ -710,6 +714,8 @@ pub struct LinuxSeccomp {
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub architectures: Vec<Arch>,
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub flags: Vec<LinuxSeccompFlag>,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub syscalls: Vec<LinuxSyscall>,
 }

@ -733,14 +739,20 @@ pub const ARCHS390: &str = "SCMP_ARCH_S390";
 pub const ARCHS390X: &str = "SCMP_ARCH_S390X";
 pub const ARCHPARISC: &str = "SCMP_ARCH_PARISC";
 pub const ARCHPARISC64: &str = "SCMP_ARCH_PARISC64";
+pub const ARCHRISCV64: &str = "SCMP_ARCH_RISCV64";
+
+pub type LinuxSeccompFlag = String;

 pub type LinuxSeccompAction = String;

 pub const ACTKILL: &str = "SCMP_ACT_KILL";
+pub const ACTKILLPROCESS: &str = "SCMP_ACT_KILL_PROCESS";
+pub const ACTKILLTHREAD: &str = "SCMP_ACT_KILL_THREAD";
 pub const ACTTRAP: &str = "SCMP_ACT_TRAP";
 pub const ACTERRNO: &str = "SCMP_ACT_ERRNO";
 pub const ACTTRACE: &str = "SCMP_ACT_TRACE";
 pub const ACTALLOW: &str = "SCMP_ACT_ALLOW";
+pub const ACTLOG: &str = "SCMP_ACT_LOG";

 pub type LinuxSeccompOperator = String;

@ -770,6 +782,8 @@ pub struct LinuxSyscall {
    pub names: Vec<String>,
    #[serde(default, skip_serializing_if = "String::is_empty")]
    pub action: LinuxSeccompAction,
+    #[serde(default = "default_seccomp_errno", rename = "errnoRet")]
+    pub errno_ret: u32,
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub args: Vec<LinuxSeccompArg>,
 }
@ -1554,9 +1568,11 @@ mod tests {
                seccomp: Some(crate::LinuxSeccomp {
                    default_action: "SCMP_ACT_ALLOW".to_string(),
                    architectures: vec!["SCMP_ARCH_X86".to_string(), "SCMP_ARCH_X32".to_string()],
+                    flags: vec![],
                    syscalls: vec![crate::LinuxSyscall {
                        names: vec!["getcwd".to_string(), "chmod".to_string()],
                        action: "SCMP_ACT_ERRNO".to_string(),
+                        errno_ret: crate::default_seccomp_errno(),
                        args: vec![],
                    }],
                }),
--- a/src/agent/protocols/protos/oci.proto
+++ b/src/agent/protocols/protos/oci.proto
@ -441,7 +441,8 @@ message LinuxInterfacePriority {
 message LinuxSeccomp {
 	string DefaultAction = 1;
 	repeated string Architectures = 2;
-	repeated LinuxSyscall Syscalls = 3  [(gogoproto.nullable) = false];
+	repeated string Flags = 3;
+	repeated LinuxSyscall Syscalls = 4  [(gogoproto.nullable) = false];
 }

 message LinuxSeccompArg {
@ -454,7 +455,8 @@ message LinuxSeccompArg {
 message LinuxSyscall {
 	repeated string Names = 1;
 	string Action = 2;
-	repeated LinuxSeccompArg Args = 3  [(gogoproto.nullable) = false];
+	uint32 ErrnoRet = 3;
+	repeated LinuxSeccompArg Args = 4  [(gogoproto.nullable) = false];
 }

 message LinuxIntelRdt {
--- a/src/agent/rustjail/src/lib.rs
+++ b/src/agent/rustjail/src/lib.rs
@ -412,6 +412,7 @@ fn seccomp_grpc_to_oci(sec: &grpcLinuxSeccomp) -> ociLinuxSeccomp {
            r.push(ociLinuxSyscall {
                names: sys.Names.clone().into_vec(),
                action: sys.Action.clone(),
+                errno_ret: sys.ErrnoRet,
                args,
            });
        }
@ -421,6 +422,7 @@ fn seccomp_grpc_to_oci(sec: &grpcLinuxSeccomp) -> ociLinuxSeccomp {
    ociLinuxSeccomp {
        default_action: sec.DefaultAction.clone(),
        architectures: sec.Architectures.clone().into_vec(),
+        flags: sec.Flags.clone().into_vec(),
        syscalls,
    }
 }