seccomp: add support for SECCOMP_FILTER_FLAG_TSYNC, SECCOMP_FILTER_FL…

…AG_SPEC_ALLOW Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
opencontainers · Feb 23, 2022 · 35083f7 · 35083f7
1 parent 40d8286
commit 35083f7
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 2 deletions.
diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go
@@ -89,10 +89,21 @@ func InitSeccomp(config *configs.Seccomp) (int, error) {
 	// Add extra flags
 	for _, flag := range config.Flags {
 		switch flag {
+		case "SECCOMP_FILTER_FLAG_TSYNC":
+			// libseccomp-golang always use filterAttrTsync when
+			// possible so all goroutines will receive the same
+			// rules, so there is nothing to do. It does not make
+			// sense to apply the seccomp filter on only one
+			// thread; other threads will be terminated after exec
+			// anyway.
 		case "SECCOMP_FILTER_FLAG_LOG":
 			if err := filter.SetLogBit(true); err != nil {
 				return -1, fmt.Errorf("error adding log flag to seccomp filter: %w", err)
 			}
+		case "SECCOMP_FILTER_FLAG_SPEC_ALLOW":
+			if err := filter.SetSSB(true); err != nil {
+				return -1, fmt.Errorf("error adding SSB flag to seccomp filter: %w", err)
+			}
 		default:
 			return -1, fmt.Errorf("seccomp flags %q not yet supported by runc", flag)
 		}

diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
@@ -1022,8 +1022,8 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
 	// We don't currently support all seccomp flags.
 	for _, flag := range config.Flags {
 		switch flag {
-		case "SECCOMP_FILTER_FLAG_LOG":
-			newConfig.Flags = append(newConfig.Flags, "SECCOMP_FILTER_FLAG_LOG")
+		case "SECCOMP_FILTER_FLAG_TSYNC", "SECCOMP_FILTER_FLAG_LOG", "SECCOMP_FILTER_FLAG_SPEC_ALLOW":
+			newConfig.Flags = append(newConfig.Flags, string(flag))
 		default:
 			return nil, fmt.Errorf("seccomp flags %q not yet supported by runc", flag)
 		}

diff --git a/tests/integration/seccomp.bats b/tests/integration/seccomp.bats
@@ -84,6 +84,40 @@ function teardown() {
 	[[ "$output" == *"mkdir:"*"/dev/shm/foo"*"Operation not permitted"* ]]
 }
 
+@test "runc run [seccomp] (SECCOMP_FILTER_FLAG_SPEC_ALLOW)" {
+	requires_kernel 4.17 # SECCOMP_FILTER_FLAG_SPEC_ALLOW appeared in Linux 4.17
+	update_config '   .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
+			| .process.noNewPrivileges = false
+			| .linux.seccomp = {
+				"defaultAction":"SCMP_ACT_ALLOW",
+				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+				"flags":["SECCOMP_FILTER_FLAG_SPEC_ALLOW"],
+				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}]
+			}'
+
+	# This test checks that the SSB flag is accepted but does not check the
+	# result
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"mkdir:"*"/dev/shm/foo"*"Operation not permitted"* ]]
+}
+
+@test "runc run [seccomp] (SECCOMP_FILTER_FLAG_TSYNC)" {
+	update_config '   .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
+			| .process.noNewPrivileges = false
+			| .linux.seccomp = {
+				"defaultAction":"SCMP_ACT_ALLOW",
+				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+				"flags":["SECCOMP_FILTER_FLAG_SPEC_ALLOW"],
+				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}]
+			}'
+
+	# This test checks that the tsync flag is accepted
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"mkdir:"*"/dev/shm/foo"*"Operation not permitted"* ]]
+}
+
 @test "runc run [seccomp] (SCMP_ACT_KILL)" {
 	update_config '  .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
 			| .process.noNewPrivileges = false