Skip to content

Refactor seccomp types to reuse runtime-spec, and add support for "ErrnoRet" #42005

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thaJeztah merged 2 commits into from
Jul 7, 2021
Merged

Refactor seccomp types to reuse runtime-spec, and add support for "ErrnoRet" #42005

thaJeztah merged 2 commits into from
Jul 7, 2021

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Feb 9, 2021

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

@thaJeztah thaJeztah marked this pull request as ready for review February 9, 2021 19:01
@thaJeztah thaJeztah added area/security/seccomp impact/changelog kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. kind/refactor PR's that refactor, or clean-up code status/2-code-review labels Feb 9, 2021
@thaJeztah
Copy link
Member Author

thaJeztah commented Feb 19, 2021

Nice! opencontainers/runtime-spec#1087 was just opened, and has a change I was also considering for a follow-up; with that, it's possible to create a profile that uses ENOSYS as a default (which could be our default profile, or could be used by a user in a custom profile)

@thaJeztah
Copy link
Member Author

thaJeztah commented Feb 22, 2021

@justincormack @tonistiigi @AkihiroSuda ptal

@thaJeztah thaJeztah force-pushed the refactor_seccomp branch from 8cab879 to dc1da4e Compare May 4, 2021 14:16
@thaJeztah

This comment has been minimized.

Sign in to view
@thaJeztah
Copy link
Member Author

thaJeztah commented Jun 4, 2021

Lots of whitespace changes, so diff is best viewed with ?w=1; https://github.com/moby/moby/pull/42005/files?w=1

@thaJeztah

This comment has been minimized.

Sign in to view
@thaJeztah thaJeztah mentioned this pull request Jun 8, 2021
Closed
@thaJeztah

This comment has been minimized.

Sign in to view
@thaJeztah thaJeztah mentioned this pull request Jun 10, 2021
Merged
thaJeztah added 2 commits June 17, 2021 21:25
@thaJeztah
seccomp.Syscall: embed runtime-spec Syscall type
d927397 
This makes the type better reflect the difference with the "runtime" profile;
our local type is used to generate a runtime-spec seccomp profile and extends
the runtime-spec type with additional fields; adding a "Name" field for backward
compatibility with older JSON representations, additional "Comment" metadata,
and conditional rules ("Includes", "Excludes") used during generation to adjust
the profile based on the container (capabilities) and host's (architecture, kernel)
configuration.

This change introduces one change in the type; the "runtime-spec" type uses a
`[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers;
`[]*LinuxSeccompArg`.

In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing
the profile to specify the errno code returned for the syscall, which allows
changing the default EPERM for specific syscalls.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah
profiles/seccomp.Syscall: use pointers and omitempty
c7cd1b9 
These fields are optional, and this makes the JSON representation
slightly less verbose.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah
Copy link
Member Author

thaJeztah commented Jun 22, 2021

@justincormack @tonistiigi @AkihiroSuda ptal

@thaJeztah
Copy link
Member Author

thaJeztah commented Jul 6, 2021

@AkihiroSuda @tianon PTAL 🤗 (justin told me he currently doesn't have time to review)

tianon
tianon approved these changes Jul 6, 2021
View reviewed changes
Copy link
Member

@tianon tianon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lots of whitespace changes, so diff is best viewed with ?w=1; https://github.com/moby/moby/pull/42005/files?w=1

I am Very Smart, so I rediscovered this the hard way 👍

@thaJeztah
Copy link
Member Author

thaJeztah commented Jul 7, 2021

I am Very Smart, so I rediscovered this the hard way 👍

Aw, man, sorry! I should've mentioned it in the top comment instead 😞

2 LGTM's now, so let me bring this one in.

I'll have a look at the follow-up as well; see #42005 (comment)

Nice! opencontainers/runtime-spec#1087 was just opened, and has a change I was also considering for a follow-up; with that, it's possible to create a profile that uses ENOSYS as a default (which could be our default profile, or could be used by a user in a custom profile)

With that change we will have the option (at least) to switch the profile to use ENOSYS (or allow users to modify the default profile to use that); see opencontainers/runc#2151

@thaJeztah thaJeztah merged commit 5e4da6c into moby:master Jul 7, 2021
@thaJeztah thaJeztah deleted the refactor_seccomp branch July 7, 2021 09:58
@thaJeztah thaJeztah mentioned this pull request Jul 8, 2021
Merged
@thaJeztah thaJeztah added this to the 21.xx milestone Jul 12, 2021
mfeit-internet2 pushed a commit to mfeit-internet2/moby that referenced this pull request Jul 13, 2021
@thaJeztah
Merge pull request moby#42005 from thaJeztah/refactor_seccomp
9b5be54 
Refactor seccomp types to reuse runtime-spec, and add support for "ErrnoRet"
Signed-off-by: Mark Feit <[email protected]>
@thaJeztah thaJeztah mentioned this pull request Jul 16, 2021
Merged
@thaJeztah thaJeztah mentioned this pull request Jul 30, 2021
Merged
@tianon tianon mentioned this pull request Sep 9, 2021
Merged
@thaJeztah thaJeztah mentioned this pull request Sep 22, 2021
Open
@tonistiigi tonistiigi mentioned this pull request Sep 28, 2021
Merged
@thaJeztah thaJeztah mentioned this pull request Jul 11, 2022
Closed
@neersighted neersighted mentioned this pull request Jun 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tianon tianon tianon approved these changes

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees

No one assigned

Labels

area/security/seccomp impact/changelog kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. kind/refactor PR's that refactor, or clean-up code status/2-code-review

Projects

None yet

Milestone

23.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@thaJeztah @tianon @tonistiigi