Skip to content

Commit

Permalink
config-linux: support seccomp flags
Browse files Browse the repository at this point in the history
allow to specify what flags must be passed to seccomp(2) when
installing the filter.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
  • Loading branch information
giuseppe committed Sep 9, 2019
1 parent 4f2ab15 commit d1ef109
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 0 deletions.
8 changes: 8 additions & 0 deletions config-linux.md
Original file line number Diff line number Diff line change
Expand Up @@ -586,6 +586,14 @@ The following parameters can be specified to set up seccomp:
* `SCMP_ARCH_PARISC`
* `SCMP_ARCH_PARISC64`

* **`flags`** *(array of strings, OPTIONAL)* - list of flags to use with seccomp(2).

A valid list of constants is shown below.

* `SECCOMP_FILTER_FLAG_TSYNC`
* `SECCOMP_FILTER_FLAG_LOG`
* `SECCOMP_FILTER_FLAG_SPEC_ALLOW`

* **`syscalls`** *(array of objects, OPTIONAL)* - match a syscall in seccomp.

While this property is OPTIONAL, some values of `defaultAction` are not useful without `syscalls` entries.
Expand Down
6 changes: 6 additions & 0 deletions schema/config-linux.json
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,12 @@
"defaultAction": {
"$ref": "defs-linux.json#/definitions/SeccompAction"
},
"flags": {
"type": "array",
"items": {
"$ref": "defs-linux.json#/definitions/SeccompFlag"
}
},
"architectures": {
"type": "array",
"items": {
Expand Down
8 changes: 8 additions & 0 deletions schema/defs-linux.json
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,14 @@
"SCMP_ACT_ALLOW"
]
},
"SeccompFlag": {
"type": "string",
"enum": [
"SECCOMP_FILTER_FLAG_TSYNC",
"SECCOMP_FILTER_FLAG_LOG",
"SECCOMP_FILTER_FLAG_SPEC_ALLOW"
]
},
"SeccompOperators": {
"type": "string",
"enum": [
Expand Down
4 changes: 4 additions & 0 deletions specs-go/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -556,12 +556,16 @@ type VMImage struct {
type LinuxSeccomp struct {
DefaultAction LinuxSeccompAction `json:"defaultAction"`
Architectures []Arch `json:"architectures,omitempty"`
Flags []LinuxSeccompFlag `json:"flags,omitempty"`
Syscalls []LinuxSyscall `json:"syscalls,omitempty"`
}

// Arch used for additional architectures
type Arch string

// LinuxSeccompFlag is a flag to pass to seccomp(2).
type LinuxSeccompFlag string

// Additional architectures permitted to be used for system calls
// By default only the native architecture of the kernel is permitted
const (
Expand Down

0 comments on commit d1ef109

Please sign in to comment.