Add SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV

alban · alban · commit 722c7dd2bd7f · 2022-10-04T11:25:18.000+02:00
Linux 5.19 introduced a new seccomp flag: SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=c2aa2dfef243 It is useful for seccomp notify when handling notification from Golang programs which are often preempted by the runtime with SIGURG. The flag was added in runtime-spec: opencontainers/runtime-spec@4bcd065 and implemented in crun: containers/crun@396ac88 But not yet in runc. Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
diff --git a/api/seccompprofile/v1beta1/seccompprofile_types.go b/api/seccompprofile/v1beta1/seccompprofile_types.go
@@ -69,7 +69,8 @@ type SeccompProfileSpec struct {
 //nolint:lll // required for kubebuilder
 type Arch string
 
-// +kubebuilder:validation:Enum=SECCOMP_FILTER_FLAG_TSYNC;SECCOMP_FILTER_FLAG_LOG;SECCOMP_FILTER_FLAG_SPEC_ALLOW
+// nolint:lll // required for kubebuilder
+// +kubebuilder:validation:Enum=SECCOMP_FILTER_FLAG_TSYNC;SECCOMP_FILTER_FLAG_LOG;SECCOMP_FILTER_FLAG_SPEC_ALLOW;SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
 type Flag string
 
 // Syscall defines a syscall in seccomp.
diff --git a/bundle/manifests/security-profiles-operator.x-k8s.io_seccompprofiles.yaml b/bundle/manifests/security-profiles-operator.x-k8s.io_seccompprofiles.yaml
@@ -100,6 +100,7 @@ spec:
                   - SECCOMP_FILTER_FLAG_TSYNC
                   - SECCOMP_FILTER_FLAG_LOG
                   - SECCOMP_FILTER_FLAG_SPEC_ALLOW
+                  - SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
                   type: string
                 type: array
               listenerMetadata:
diff --git a/deploy/base-crds/crd.yaml b/deploy/base-crds/crd.yaml
@@ -313,6 +313,7 @@ spec:
                   - SECCOMP_FILTER_FLAG_TSYNC
                   - SECCOMP_FILTER_FLAG_LOG
                   - SECCOMP_FILTER_FLAG_SPEC_ALLOW
+                  - SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
                   type: string
                 type: array
               syscalls:
diff --git a/deploy/base-crds/crds/seccompprofile.yaml b/deploy/base-crds/crds/seccompprofile.yaml
@@ -98,6 +98,7 @@ spec:
                   - SECCOMP_FILTER_FLAG_TSYNC
                   - SECCOMP_FILTER_FLAG_LOG
                   - SECCOMP_FILTER_FLAG_SPEC_ALLOW
+                  - SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
                   type: string
                 type: array
               listenerMetadata:
diff --git a/deploy/helm/crds/crds.yaml b/deploy/helm/crds/crds.yaml
@@ -305,6 +305,7 @@ spec:
                   - SECCOMP_FILTER_FLAG_TSYNC
                   - SECCOMP_FILTER_FLAG_LOG
                   - SECCOMP_FILTER_FLAG_SPEC_ALLOW
+                  - SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
                   type: string
                 type: array
               listenerMetadata:
diff --git a/deploy/namespace-operator.yaml b/deploy/namespace-operator.yaml
@@ -305,6 +305,7 @@ spec:
                   - SECCOMP_FILTER_FLAG_TSYNC
                   - SECCOMP_FILTER_FLAG_LOG
                   - SECCOMP_FILTER_FLAG_SPEC_ALLOW
+                  - SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
                   type: string
                 type: array
               listenerMetadata:
diff --git a/deploy/openshift-dev.yaml b/deploy/openshift-dev.yaml
@@ -305,6 +305,7 @@ spec:
                   - SECCOMP_FILTER_FLAG_TSYNC
                   - SECCOMP_FILTER_FLAG_LOG
                   - SECCOMP_FILTER_FLAG_SPEC_ALLOW
+                  - SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
                   type: string
                 type: array
               listenerMetadata:
diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -305,6 +305,7 @@ spec:
                   - SECCOMP_FILTER_FLAG_TSYNC
                   - SECCOMP_FILTER_FLAG_LOG
                   - SECCOMP_FILTER_FLAG_SPEC_ALLOW
+                  - SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
                   type: string
                 type: array
               listenerMetadata:
diff --git a/deploy/webhook-operator.yaml b/deploy/webhook-operator.yaml
@@ -481,6 +481,7 @@ spec:
                   - SECCOMP_FILTER_FLAG_TSYNC
                   - SECCOMP_FILTER_FLAG_LOG
                   - SECCOMP_FILTER_FLAG_SPEC_ALLOW
+                  - SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
                   type: string
                 type: array
               listenerMetadata:
