From d0553dca5b2d3e1526bd807fe5fb5c3d187173db Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Tue, 30 Aug 2022 12:05:02 -0700 Subject: [PATCH] seccomp: set SPEC_ALLOW by default If no seccomps flags are set in OCI runtime spec (not even the empty set), set SPEC_ALLOW by default. Otherwise, use the flags set. This mimics the crun behavior, and makes runc seccomp performance on par with crun. Signed-off-by: Kir Kolyshkin --- libcontainer/specconv/spec_linux.go | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go index d62e34be713..15676a0b6d5 100644 --- a/libcontainer/specconv/spec_linux.go +++ b/libcontainer/specconv/spec_linux.go @@ -1020,16 +1020,22 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) { newConfig := new(configs.Seccomp) newConfig.Syscalls = []*configs.Syscall{} - // The list of flags defined in runtime-spec is a subset of the flags - // in the seccomp() syscall - for _, flag := range config.Flags { - switch flag { - case "SECCOMP_FILTER_FLAG_TSYNC": - // Tsync can be silently ignored - case specs.LinuxSeccompFlagLog, specs.LinuxSeccompFlagSpecAllow: - newConfig.Flags = append(newConfig.Flags, flag) - default: - return nil, fmt.Errorf("seccomp flag %q not yet supported by runc", flag) + if config.Flags == nil { + // No flags are set explicitly (not even the empty set); + // set the default of specs.LinuxSeccompFlagSpecAllow. + newConfig.Flags = []specs.LinuxSeccompFlag{specs.LinuxSeccompFlagSpecAllow} + } else { + // The list of flags defined in runtime-spec is a subset of the flags + // in the seccomp() syscall. + for _, flag := range config.Flags { + switch flag { + case "SECCOMP_FILTER_FLAG_TSYNC": + // Tsync can be silently ignored + case specs.LinuxSeccompFlagLog, specs.LinuxSeccompFlagSpecAllow: + newConfig.Flags = append(newConfig.Flags, flag) + default: + return nil, fmt.Errorf("seccomp flag %q not yet supported by runc", flag) + } } }