virtcontainers: Conditionally pass seccomp profile

Pass Seccomp profile to the agent only if the configuration.toml allows it to be passed and the agent/image is seccomp capable. Fixes: #688 Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
2025-07-01 09:42:45 +00:00 · 2019-01-08 10:22:23 +05:30 · 2019-01-08 10:22:23 +05:30 · c2c9c844e2
commit c2c9c844e2
parent 8161b4c1c1
8 changed files with 59 additions and 27 deletions
--- a/5
+++ b/5
@ -147,6 +147,9 @@ DEFMEMSLOTS := 10
 DEFBRIDGES := 1
 #Default network model
 DEFNETWORKMODEL := macvtap
+
+DEFDISABLEGUESTSECCOMP := true
+
 #Default entropy source
 DEFENTROPYSOURCE := /dev/urandom

@ -229,6 +232,7 @@ USER_VARS += DEFMEMSZ
 USER_VARS += DEFMEMSLOTS
 USER_VARS += DEFBRIDGES
 USER_VARS += DEFNETWORKMODEL
+USER_VARS += DEFDISABLEGUESTSECCOMP
 USER_VARS += DEFDISABLEBLOCK
 USER_VARS += DEFBLOCKSTORAGEDRIVER
 USER_VARS += DEFENABLEIOTHREADS
@ -398,6 +402,7 @@ $(GENERATED_FILES): %: %.in Makefile VERSION
 		-e "s|@DEFMEMSLOTS@|$(DEFMEMSLOTS)|g" \
 		-e "s|@DEFBRIDGES@|$(DEFBRIDGES)|g" \
 		-e "s|@DEFNETWORKMODEL@|$(DEFNETWORKMODEL)|g" \
+		-e "s|@DEFDISABLEGUESTSECCOMP@|$(DEFDISABLEGUESTSECCOMP)|g" \
 		-e "s|@DEFDISABLEBLOCK@|$(DEFDISABLEBLOCK)|g" \
 		-e "s|@DEFBLOCKSTORAGEDRIVER@|$(DEFBLOCKSTORAGEDRIVER)|g" \
 		-e "s|@DEFENABLEIOTHREADS@|$(DEFENABLEIOTHREADS)|g" \
--- a/cli/config/configuration.toml.in
+++ b/cli/config/configuration.toml.in
@ -291,6 +291,13 @@ path = "@NETMONPATH@"
 #
 internetworking_model="@DEFNETWORKMODEL@"

+# disable guest seccomp
+# Determines whether container seccomp profiles are passed to the virtual
+# machine and applied by the kata agent. If set to true, seccomp is not applied
+# within the guest
+# (default: true)
+disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
+
 # If enabled, the runtime will create opentracing.io traces and spans.
 # (See https://www.jaegertracing.io/docs/getting-started).
 # (default: disabled)
--- a/cli/kata-env.go
+++ b/cli/kata-env.go
@ -63,12 +63,13 @@ type RuntimeConfigInfo struct {

 // RuntimeInfo stores runtime details.
 type RuntimeInfo struct {
-	Version         RuntimeVersionInfo
-	Config          RuntimeConfigInfo
-	Debug           bool
-	Trace           bool
-	DisableNewNetNs bool
-	Path            string
+	Version             RuntimeVersionInfo
+	Config              RuntimeConfigInfo
+	Debug               bool
+	Trace               bool
+	DisableGuestSeccomp bool
+	DisableNewNetNs     bool
+	Path                string
 }

 // RuntimeVersionInfo stores details of the runtime version
@ -174,12 +175,13 @@ func getRuntimeInfo(configFile string, config oci.RuntimeConfig) RuntimeInfo {
 	runtimePath, _ := os.Executable()

 	return RuntimeInfo{
-		Debug:           config.Debug,
-		Trace:           config.Trace,
-		Version:         runtimeVersion,
-		Config:          runtimeConfig,
-		Path:            runtimePath,
-		DisableNewNetNs: config.DisableNewNetNs,
+		Debug:               config.Debug,
+		Trace:               config.Trace,
+		Version:             runtimeVersion,
+		Config:              runtimeConfig,
+		Path:                runtimePath,
+		DisableNewNetNs:     config.DisableNewNetNs,
+		DisableGuestSeccomp: config.DisableGuestSeccomp,
 	}
 }

--- a/pkg/katautils/config.go
+++ b/pkg/katautils/config.go
@ -120,10 +120,11 @@ type proxy struct {
 }

 type runtime struct {
-	Debug             bool   `toml:"enable_debug"`
-	Tracing           bool   `toml:"enable_tracing"`
-	DisableNewNetNs   bool   `toml:"disable_new_netns"`
-	InterNetworkModel string `toml:"internetworking_model"`
+	Debug               bool   `toml:"enable_debug"`
+	Tracing             bool   `toml:"enable_tracing"`
+	DisableNewNetNs     bool   `toml:"disable_new_netns"`
+	DisableGuestSeccomp bool   `toml:"disable_guest_seccomp"`
+	InterNetworkModel   string `toml:"internetworking_model"`
 }

 type shim struct {
@ -795,6 +796,8 @@ func LoadConfiguration(configPath string, ignoreLogging, builtIn bool) (resolved
 		return "", config, err
 	}

+	config.DisableGuestSeccomp = tomlConf.Runtime.DisableGuestSeccomp
+
 	// use no proxy if HypervisorConfig.UseVSock is true
 	if config.HypervisorConfig.UseVSock {
 		kataUtilsLogger.Info("VSOCK supported, configure to not use proxy")
--- a/virtcontainers/kata_agent.go
+++ b/virtcontainers/kata_agent.go
@ -773,16 +773,17 @@ func (k *kataAgent) replaceOCIMountsForStorages(spec *specs.Spec, volumeStorages
 	return nil
 }

-func constraintGRPCSpec(grpcSpec *grpc.Spec, systemdCgroup bool) {
+func constraintGRPCSpec(grpcSpec *grpc.Spec, systemdCgroup bool, passSeccomp bool) {
 	// Disable Hooks since they have been handled on the host and there is
 	// no reason to send them to the agent. It would make no sense to try
 	// to apply them on the guest.
 	grpcSpec.Hooks = nil

-	// Disable Seccomp since they cannot be handled properly by the agent
-	// until we provide a guest image with libseccomp support. More details
-	// here: https://github.com/kata-containers/agent/issues/104
-	grpcSpec.Linux.Seccomp = nil
+	// Pass seccomp only if disable_guest_seccomp is set to false in
+	// configuration.toml and guest image is seccomp capable.
+	if passSeccomp == false {
+		grpcSpec.Linux.Seccomp = nil
+	}

 	// By now only CPU constraints are supported
 	// Issue: https://github.com/kata-containers/runtime/issues/158
@ -1055,9 +1056,11 @@ func (k *kataAgent) createContainer(sandbox *Sandbox, c *Container) (p *Process,
 		return nil, err
 	}

+	passSeccomp := !sandbox.config.DisableGuestSeccomp && sandbox.seccompSupported
+
 	// We need to constraint the spec to make sure we're not passing
 	// irrelevant information to the agent.
-	constraintGRPCSpec(grpcSpec, sandbox.config.SystemdCgroup)
+	constraintGRPCSpec(grpcSpec, sandbox.config.SystemdCgroup, passSeccomp)

 	k.handleShm(grpcSpec, sandbox)

--- a/virtcontainers/kata_agent_test.go
+++ b/virtcontainers/kata_agent_test.go
@ -471,11 +471,11 @@ func TestConstraintGRPCSpec(t *testing.T) {
 		},
 	}

-	constraintGRPCSpec(g, true)
+	constraintGRPCSpec(g, true, true)

 	// check nil fields
 	assert.Nil(g.Hooks)
-	assert.Nil(g.Linux.Seccomp)
+	assert.NotNil(g.Linux.Seccomp)
 	assert.Nil(g.Linux.Resources.Devices)
 	assert.NotNil(g.Linux.Resources.Memory)
 	assert.Nil(g.Linux.Resources.Pids)
--- a/virtcontainers/pkg/oci/utils.go
+++ b/virtcontainers/pkg/oci/utils.go
@ -122,6 +122,9 @@ type RuntimeConfig struct {
 	Debug             bool
 	Trace             bool

+	//Determines if seccomp should be applied inside guest
+	DisableGuestSeccomp bool
+
 	//Determines if create a netns for hypervisor process
 	DisableNewNetNs bool
 }
@ -489,6 +492,8 @@ func SandboxConfig(ocispec CompatOCISpec, runtime RuntimeConfig, bundlePath, cid
 		ShmSize: shmSize,

 		SystemdCgroup: systemdCgroup,
+
+		DisableGuestSeccomp: runtime.DisableGuestSeccomp,
 	}

 	addAssetAnnotations(ocispec, &sandboxConfig)
--- a/virtcontainers/sandbox.go
+++ b/virtcontainers/sandbox.go
@ -361,6 +361,8 @@ type SandboxConfig struct {

 	// SystemdCgroup enables systemd cgroup support
 	SystemdCgroup bool
+
+	DisableGuestSeccomp bool
 }

 func (s *Sandbox) trace(name string) (opentracing.Span, context.Context) {
@ -490,9 +492,10 @@ type Sandbox struct {

 	wg *sync.WaitGroup

-	shmSize    uint64
-	sharePidNs bool
-	stateful   bool
+	shmSize          uint64
+	sharePidNs       bool
+	stateful         bool
+	seccompSupported bool

 	ctx context.Context

@ -734,6 +737,10 @@ func (s *Sandbox) getAndStoreGuestDetails() error {

 	if guestDetailRes != nil {
 		s.state.GuestMemoryBlockSizeMB = uint32(guestDetailRes.MemBlockSizeBytes >> 20)
+		if guestDetailRes.AgentDetails != nil {
+			s.seccompSupported = guestDetailRes.AgentDetails.SupportsSeccomp
+		}
+
 		if err = s.storage.storeSandboxResource(s.id, stateFileType, s.state); err != nil {
 			return err
 		}