seccomp: set SPEC_ALLOW by default

If no seccomps flags are set in OCI runtime spec (not even the empty set), set SPEC_ALLOW by default. Otherwise, use the flags set. This mimics the crun behavior, and makes runc seccomp performance on par with crun. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
opencontainers · Aug 30, 2022 · d0553dc · d0553dc
1 parent c7dc8b1
commit d0553dc
Showing 1 changed file with 16 additions and 10 deletions.
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
@@ -1020,16 +1020,22 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
 	newConfig := new(configs.Seccomp)
 	newConfig.Syscalls = []*configs.Syscall{}
 
-	// The list of flags defined in runtime-spec is a subset of the flags
-	// in the seccomp() syscall
-	for _, flag := range config.Flags {
-		switch flag {
-		case "SECCOMP_FILTER_FLAG_TSYNC":
-			// Tsync can be silently ignored
-		case specs.LinuxSeccompFlagLog, specs.LinuxSeccompFlagSpecAllow:
-			newConfig.Flags = append(newConfig.Flags, flag)
-		default:
-			return nil, fmt.Errorf("seccomp flag %q not yet supported by runc", flag)
+	if config.Flags == nil {
+		// No flags are set explicitly (not even the empty set);
+		// set the default of specs.LinuxSeccompFlagSpecAllow.
+		newConfig.Flags = []specs.LinuxSeccompFlag{specs.LinuxSeccompFlagSpecAllow}
+	} else {
+		// The list of flags defined in runtime-spec is a subset of the flags
+		// in the seccomp() syscall.
+		for _, flag := range config.Flags {
+			switch flag {
+			case "SECCOMP_FILTER_FLAG_TSYNC":
+				// Tsync can be silently ignored
+			case specs.LinuxSeccompFlagLog, specs.LinuxSeccompFlagSpecAllow:
+				newConfig.Flags = append(newConfig.Flags, flag)
+			default:
+				return nil, fmt.Errorf("seccomp flag %q not yet supported by runc", flag)
+			}
 		}
 	}