Skip to content

Commit

Permalink
SeccompProfile CRD: add new fields for seccomp notify
Browse files Browse the repository at this point in the history 
Seccomp notify is a new feature in container runtimes introduced by
- https:/opencontainers/runtime-spec PR 1074
- https:/opencontainers/runc PR 2682 (available in runc 1.1.0)

This patch adds:
- The new seccomp action SCMP_ACT_NOTIFY to defer the decision to a
  seccomp agent
- The ListenerPath and ListenerMetadata fields so the runtime can
  contact the seccomp agent.

Note that the flag SECCOMP_FILTER_FLAG_NEW_LISTENER is not added. See
https:/opencontainers/runtime-spec PR 1096 for details.
  • Loading branch information
@alban
alban committed Feb 2, 2022
1 parent 87c45e1 commit 294bb86
Show file tree
Hide file tree
Showing 7 changed files with 63 additions and 10 deletions.
10 changes: 7 additions & 3 deletions api/seccompprofile/v1beta1/seccompprofile_types.go
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
Copyright 2020 The Kubernetes Authors.
Copyright 2020-2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -44,10 +44,14 @@ type SeccompProfileSpec struct {

// the default action for seccomp
//nolint:lll
// +kubebuilder:validation:Enum=SCMP_ACT_KILL;SCMP_ACT_KILL_PROCESS;SCMP_ACT_KILL_THREAD;SCMP_ACT_TRAP;SCMP_ACT_ERRNO;SCMP_ACT_TRACE;SCMP_ACT_ALLOW;SCMP_ACT_LOG
// +kubebuilder:validation:Enum=SCMP_ACT_KILL;SCMP_ACT_KILL_PROCESS;SCMP_ACT_KILL_THREAD;SCMP_ACT_TRAP;SCMP_ACT_ERRNO;SCMP_ACT_TRACE;SCMP_ACT_ALLOW;SCMP_ACT_LOG;SCMP_ACT_NOTIFY
DefaultAction seccomp.Action `json:"defaultAction"`
// the architecture used for system calls
Architectures []Arch `json:"architectures,omitempty"`
// path of UNIX domain socket to contact a seccomp agent for SCMP_ACT_NOTIFY
ListenerPath string `json:"listenerPath,omitempty"`
// opaque data to pass to the seccomp agent
ListenerMetadata string `json:"listenerMetadata,omitempty"`
// match a syscall in seccomp. While this property is OPTIONAL, some values
// of defaultAction are not useful without syscalls entries. For example,
// if defaultAction is SCMP_ACT_KILL and syscalls is empty or unset, the
Expand All @@ -73,7 +77,7 @@ type Syscall struct {
Names []string `json:"names"`
// the action for seccomp rules
//nolint:lll
// +kubebuilder:validation:Enum=SCMP_ACT_KILL;SCMP_ACT_KILL_PROCESS;SCMP_ACT_KILL_THREAD;SCMP_ACT_TRAP;SCMP_ACT_ERRNO;SCMP_ACT_TRACE;SCMP_ACT_ALLOW;SCMP_ACT_LOG
// +kubebuilder:validation:Enum=SCMP_ACT_KILL;SCMP_ACT_KILL_PROCESS;SCMP_ACT_KILL_THREAD;SCMP_ACT_TRAP;SCMP_ACT_ERRNO;SCMP_ACT_TRACE;SCMP_ACT_ALLOW;SCMP_ACT_LOG;SCMP_ACT_NOTIFY
Action seccomp.Action `json:"action"`
// the errno return code to use. Some actions like SCMP_ACT_ERRNO and
// SCMP_ACT_TRACE allow to specify the errno code to return
Expand Down
9 changes: 9 additions & 0 deletions deploy/base/crds/seccompprofile.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ spec:
- SCMP_ACT_TRACE
- SCMP_ACT_ALLOW
- SCMP_ACT_LOG
- SCMP_ACT_NOTIFY
type: string
flags:
description: list of flags to use with seccomp(2)
Expand All @@ -99,6 +100,13 @@ spec:
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
type: string
type: array
listenerMetadata:
description: opaque data to pass to the seccomp agent
type: string
listenerPath:
description: path of UNIX domain socket to contact a seccomp agent
for SCMP_ACT_NOTIFY
type: string
syscalls:
description: match a syscall in seccomp. While this property is OPTIONAL,
some values of defaultAction are not useful without syscalls entries.
Expand All @@ -119,6 +127,7 @@ spec:
- SCMP_ACT_TRACE
- SCMP_ACT_ALLOW
- SCMP_ACT_LOG
- SCMP_ACT_NOTIFY
type: string
args:
description: the specific syscall in seccomp
Expand Down
9 changes: 9 additions & 0 deletions deploy/namespace-operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,7 @@ spec:
- SCMP_ACT_TRACE
- SCMP_ACT_ALLOW
- SCMP_ACT_LOG
- SCMP_ACT_NOTIFY
type: string
flags:
description: list of flags to use with seccomp(2)
Expand All @@ -310,6 +311,13 @@ spec:
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
type: string
type: array
listenerMetadata:
description: opaque data to pass to the seccomp agent
type: string
listenerPath:
description: path of UNIX domain socket to contact a seccomp agent
for SCMP_ACT_NOTIFY
type: string
syscalls:
description: match a syscall in seccomp. While this property is OPTIONAL,
some values of defaultAction are not useful without syscalls entries.
Expand All @@ -330,6 +338,7 @@ spec:
- SCMP_ACT_TRACE
- SCMP_ACT_ALLOW
- SCMP_ACT_LOG
- SCMP_ACT_NOTIFY
type: string
args:
description: the specific syscall in seccomp
Expand Down
9 changes: 9 additions & 0 deletions deploy/openshift-dev.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,7 @@ spec:
- SCMP_ACT_TRACE
- SCMP_ACT_ALLOW
- SCMP_ACT_LOG
- SCMP_ACT_NOTIFY
type: string
flags:
description: list of flags to use with seccomp(2)
Expand All @@ -310,6 +311,13 @@ spec:
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
type: string
type: array
listenerMetadata:
description: opaque data to pass to the seccomp agent
type: string
listenerPath:
description: path of UNIX domain socket to contact a seccomp agent
for SCMP_ACT_NOTIFY
type: string
syscalls:
description: match a syscall in seccomp. While this property is OPTIONAL,
some values of defaultAction are not useful without syscalls entries.
Expand All @@ -330,6 +338,7 @@ spec:
- SCMP_ACT_TRACE
- SCMP_ACT_ALLOW
- SCMP_ACT_LOG
- SCMP_ACT_NOTIFY
type: string
args:
description: the specific syscall in seccomp
Expand Down
9 changes: 9 additions & 0 deletions deploy/openshift.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,7 @@ spec:
- SCMP_ACT_TRACE
- SCMP_ACT_ALLOW
- SCMP_ACT_LOG
- SCMP_ACT_NOTIFY
type: string
flags:
description: list of flags to use with seccomp(2)
Expand All @@ -310,6 +311,13 @@ spec:
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
type: string
type: array
listenerMetadata:
description: opaque data to pass to the seccomp agent
type: string
listenerPath:
description: path of UNIX domain socket to contact a seccomp agent
for SCMP_ACT_NOTIFY
type: string
syscalls:
description: match a syscall in seccomp. While this property is OPTIONAL,
some values of defaultAction are not useful without syscalls entries.
Expand All @@ -330,6 +338,7 @@ spec:
- SCMP_ACT_TRACE
- SCMP_ACT_ALLOW
- SCMP_ACT_LOG
- SCMP_ACT_NOTIFY
type: string
args:
description: the specific syscall in seccomp
Expand Down
9 changes: 9 additions & 0 deletions deploy/operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,7 @@ spec:
- SCMP_ACT_TRACE
- SCMP_ACT_ALLOW
- SCMP_ACT_LOG
- SCMP_ACT_NOTIFY
type: string
flags:
description: list of flags to use with seccomp(2)
Expand All @@ -310,6 +311,13 @@ spec:
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
type: string
type: array
listenerMetadata:
description: opaque data to pass to the seccomp agent
type: string
listenerPath:
description: path of UNIX domain socket to contact a seccomp agent
for SCMP_ACT_NOTIFY
type: string
syscalls:
description: match a syscall in seccomp. While this property is OPTIONAL,
some values of defaultAction are not useful without syscalls entries.
Expand All @@ -330,6 +338,7 @@ spec:
- SCMP_ACT_TRACE
- SCMP_ACT_ALLOW
- SCMP_ACT_LOG
- SCMP_ACT_NOTIFY
type: string
args:
description: the specific syscall in seccomp
Expand Down
18 changes: 11 additions & 7 deletions internal/pkg/daemon/seccompprofile/seccompprofile.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,10 +183,12 @@ func (r *Reconciler) Reconcile(_ context.Context, req reconcile.Request) (reconc

// OutputProfile represents the on-disk form of the SeccompProfile.
type OutputProfile struct {
DefaultAction seccomp.Action `json:"defaultAction"`
Architectures []seccompprofileapi.Arch `json:"architectures,omitempty"`
Syscalls []*seccompprofileapi.Syscall `json:"syscalls,omitempty"`
Flags []*seccompprofileapi.Flag `json:"flags,omitempty"`
DefaultAction seccomp.Action `json:"defaultAction"`
Architectures []seccompprofileapi.Arch `json:"architectures,omitempty"`
ListenerPath string `json:"listenerPath,omitempty"`
ListenerMetadata string `json:"listenerMetadata,omitempty"`
Syscalls []*seccompprofileapi.Syscall `json:"syscalls,omitempty"`
Flags []*seccompprofileapi.Flag `json:"flags,omitempty"`
}

func unionSyscalls(baseSyscalls, appliedSyscalls []*seccompprofileapi.Syscall) []*seccompprofileapi.Syscall {
Expand Down Expand Up @@ -220,9 +222,11 @@ func (r *Reconciler) mergeBaseProfile(
ctx context.Context, sp *seccompprofileapi.SeccompProfile, l logr.Logger,
) (OutputProfile, error) {
op := OutputProfile{
DefaultAction: sp.Spec.DefaultAction,
Architectures: sp.Spec.Architectures,
Flags: sp.Spec.Flags,
DefaultAction: sp.Spec.DefaultAction,
Architectures: sp.Spec.Architectures,
ListenerPath: sp.Spec.ListenerPath,
ListenerMetadata: sp.Spec.ListenerMetadata,
Flags: sp.Spec.Flags,
}
baseProfileName := sp.Spec.BaseProfileName
if baseProfileName == "" {
Expand Down

0 comments on commit 294bb86

Please sign in to comment.