Add support for seccomp filter flags

saschagrunert · saschagrunert · commit ca5e98301017 · 2022-02-23T12:02:13.000+01:00
crun supports seccomp filter flags since containers/crun@fefabff runc will get them with opencontainers/runc#3390 youki will get them with youki-dev/youki#733 To support them generally, we now copy the flags during the seccomp setup, otherwise they will get lost. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
diff --git a/pkg/seccomp/seccomp_linux.go b/pkg/seccomp/seccomp_linux.go
@@ -1,3 +1,4 @@
+//go:build seccomp
 // +build seccomp
 
 // SPDX-License-Identifier: Apache-2.0
@@ -120,6 +121,10 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error)
 		return nil, err
 	}
 
+	for _, flag := range config.Flags {
+		newConfig.Flags = append(newConfig.Flags, specs.LinuxSeccompFlag(flag))
+	}
+
 	if len(config.ArchMap) != 0 {
 		for _, a := range config.ArchMap {
 			seccompArch, ok := nativeToSeccomp[arch]
diff --git a/pkg/seccomp/types.go b/pkg/seccomp/types.go
@@ -17,6 +17,7 @@ type Seccomp struct {
 	Architectures []Arch         `json:"architectures,omitempty"`
 	ArchMap       []Architecture `json:"archMap,omitempty"`
 	Syscalls      []*Syscall     `json:"syscalls"`
+	Flags         []string       `json:"flags,omitempty"`
 }
 
 // Architecture is used to represent a specific architecture

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ type Seccomp struct {`
`17`	`17`	Architectures []Arch `json:"architectures,omitempty"`
`18`	`18`	ArchMap []Architecture `json:"archMap,omitempty"`
`19`	`19`	Syscalls []*Syscall `json:"syscalls"`
	`20`	+ Flags []string `json:"flags,omitempty"`
`20`	`21`	`}`
`21`	`22`
`22`	`23`	`// Architecture is used to represent a specific architecture`