github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-30 04:34:27 +00:00
Code Issues Projects Releases Wiki Activity

oci: Update seccomp configuration

Browse Source 
Seccomp configuration should be updated to prepare for the future seccomp support based on the latest OCI specification.

Add:
- flags which is used with seccomp(2) in struct LinuxSeccomp
- errnoRet which is errno return code in struct LinuxSyscall
- some new seccomp actions and an architecture

Fixes: #1391

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
This commit is contained in:
Manabu Sugimoto 2021-02-10 13:52:28 +09:00
parent d6682e3168
commit 660b047306
3 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/agent/oci/src/lib.rs
View File

@ -8,7 +8,7 @@ extern crate serde;
extern crate serde_derive; extern crate serde_derive;
extern crate serde_json; extern crate serde_json;
use libc::mode_t; use libc::{self, mode_t};
use std::collections::HashMap; use std::collections::HashMap;
mod serialize; mod serialize;
@ -27,6 +27,10 @@ where
*d == T::default() *d == T::default()
} }
fn default_seccomp_errno() -> u32 {
libc::EPERM as u32
}
#[derive(Serialize, Deserialize, Debug, Default, Clone, PartialEq)] #[derive(Serialize, Deserialize, Debug, Default, Clone, PartialEq)]
pub struct Spec { pub struct Spec {
#[serde( #[serde(
@ -710,6 +714,8 @@ pub struct LinuxSeccomp {
#[serde(default, skip_serializing_if = "Vec::is_empty")] #[serde(default, skip_serializing_if = "Vec::is_empty")]
pub architectures: Vec<Arch>, pub architectures: Vec<Arch>,
#[serde(default, skip_serializing_if = "Vec::is_empty")] #[serde(default, skip_serializing_if = "Vec::is_empty")]
pub flags: Vec<LinuxSeccompFlag>,
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub syscalls: Vec<LinuxSyscall>, pub syscalls: Vec<LinuxSyscall>,
} }
@ -733,14 +739,20 @@ pub const ARCHS390: &str = "SCMP_ARCH_S390";
pub const ARCHS390X: &str = "SCMP_ARCH_S390X"; pub const ARCHS390X: &str = "SCMP_ARCH_S390X";
pub const ARCHPARISC: &str = "SCMP_ARCH_PARISC"; pub const ARCHPARISC: &str = "SCMP_ARCH_PARISC";
pub const ARCHPARISC64: &str = "SCMP_ARCH_PARISC64"; pub const ARCHPARISC64: &str = "SCMP_ARCH_PARISC64";
pub const ARCHRISCV64: &str = "SCMP_ARCH_RISCV64";
pub type LinuxSeccompFlag = String;
pub type LinuxSeccompAction = String; pub type LinuxSeccompAction = String;
pub const ACTKILL: &str = "SCMP_ACT_KILL"; pub const ACTKILL: &str = "SCMP_ACT_KILL";
pub const ACTKILLPROCESS: &str = "SCMP_ACT_KILL_PROCESS";
pub const ACTKILLTHREAD: &str = "SCMP_ACT_KILL_THREAD";
pub const ACTTRAP: &str = "SCMP_ACT_TRAP"; pub const ACTTRAP: &str = "SCMP_ACT_TRAP";
pub const ACTERRNO: &str = "SCMP_ACT_ERRNO"; pub const ACTERRNO: &str = "SCMP_ACT_ERRNO";
pub const ACTTRACE: &str = "SCMP_ACT_TRACE"; pub const ACTTRACE: &str = "SCMP_ACT_TRACE";
pub const ACTALLOW: &str = "SCMP_ACT_ALLOW"; pub const ACTALLOW: &str = "SCMP_ACT_ALLOW";
pub const ACTLOG: &str = "SCMP_ACT_LOG";
pub type LinuxSeccompOperator = String; pub type LinuxSeccompOperator = String;
@ -770,6 +782,8 @@ pub struct LinuxSyscall {
pub names: Vec<String>, pub names: Vec<String>,
#[serde(default, skip_serializing_if = "String::is_empty")] #[serde(default, skip_serializing_if = "String::is_empty")]
pub action: LinuxSeccompAction, pub action: LinuxSeccompAction,
#[serde(default = "default_seccomp_errno", rename = "errnoRet")]
pub errno_ret: u32,
#[serde(default, skip_serializing_if = "Vec::is_empty")] #[serde(default, skip_serializing_if = "Vec::is_empty")]
pub args: Vec<LinuxSeccompArg>, pub args: Vec<LinuxSeccompArg>,
} }
@ -1554,9 +1568,11 @@ mod tests {
seccomp: Some(crate::LinuxSeccomp { seccomp: Some(crate::LinuxSeccomp {
default_action: "SCMP_ACT_ALLOW".to_string(), default_action: "SCMP_ACT_ALLOW".to_string(),
architectures: vec!["SCMP_ARCH_X86".to_string(), "SCMP_ARCH_X32".to_string()], architectures: vec!["SCMP_ARCH_X86".to_string(), "SCMP_ARCH_X32".to_string()],
flags: vec![],
syscalls: vec![crate::LinuxSyscall { syscalls: vec![crate::LinuxSyscall {
names: vec!["getcwd".to_string(), "chmod".to_string()], names: vec!["getcwd".to_string(), "chmod".to_string()],
action: "SCMP_ACT_ERRNO".to_string(), action: "SCMP_ACT_ERRNO".to_string(),
errno_ret: crate::default_seccomp_errno(),
args: vec![], args: vec![],
}], }],
}), }),

6
src/agent/protocols/protos/oci.proto
View File

@ -441,7 +441,8 @@ message LinuxInterfacePriority {
message LinuxSeccomp { message LinuxSeccomp {
string DefaultAction = 1; string DefaultAction = 1;
repeated string Architectures = 2; repeated string Architectures = 2;
repeated LinuxSyscall Syscalls = 3 [(gogoproto.nullable) = false]; repeated string Flags = 3;
repeated LinuxSyscall Syscalls = 4 [(gogoproto.nullable) = false];
} }
message LinuxSeccompArg { message LinuxSeccompArg {
@ -454,7 +455,8 @@ message LinuxSeccompArg {
message LinuxSyscall { message LinuxSyscall {
repeated string Names = 1; repeated string Names = 1;
string Action = 2; string Action = 2;
repeated LinuxSeccompArg Args = 3 [(gogoproto.nullable) = false]; uint32 ErrnoRet = 3;
repeated LinuxSeccompArg Args = 4 [(gogoproto.nullable) = false];
} }
message LinuxIntelRdt { message LinuxIntelRdt {

2
src/agent/rustjail/src/lib.rs
View File

@ -412,6 +412,7 @@ fn seccomp_grpc_to_oci(sec: &grpcLinuxSeccomp) -> ociLinuxSeccomp {
r.push(ociLinuxSyscall { r.push(ociLinuxSyscall {
names: sys.Names.clone().into_vec(), names: sys.Names.clone().into_vec(),
action: sys.Action.clone(), action: sys.Action.clone(),
errno_ret: sys.ErrnoRet,
args, args,
}); });
} }
@ -421,6 +422,7 @@ fn seccomp_grpc_to_oci(sec: &grpcLinuxSeccomp) -> ociLinuxSeccomp {
ociLinuxSeccomp { ociLinuxSeccomp {
default_action: sec.DefaultAction.clone(), default_action: sec.DefaultAction.clone(),
architectures: sec.Architectures.clone().into_vec(), architectures: sec.Architectures.clone().into_vec(),
flags: sec.Flags.clone().into_vec(),
syscalls, syscalls,
} }
} }