forked from opencontainers/runc
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Alban Crequy (3): vendoring: Use libseccomp with notify support Implement Seccomp Notify contrib: add sample seccomp agent Mauricio Vásquez (4): libcontainer/utils: introduce SendFds libcontainer/specconv: extend SetupSeccomp tests tests: add functional tests for seccomp tests: add functional tests for seccomp notify Co-developed-by: Rodrigo Campos LGTMs: kolyshkin cyphar
- Loading branch information
Showing
35 changed files
with
2,052 additions
and
218 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
# Seccomp Agent | ||
|
||
## Warning | ||
|
||
Please note this is an example agent, as such it is possible that specially | ||
crafted messages can produce bad behaviour. Please use it as an example only. | ||
|
||
Also, this agent is used for integration tests. Be aware that changing the | ||
behaviour can break the integration tests. | ||
|
||
## Get started | ||
|
||
Compile runc and seccompagent: | ||
```bash | ||
make all | ||
``` | ||
|
||
Run the seccomp agent in the background: | ||
```bash | ||
sudo ./contrib/cmd/seccompagent/seccompagent & | ||
``` | ||
|
||
Prepare a container: | ||
```bash | ||
mkdir container-seccomp-notify | ||
cd container-seccomp-notify | ||
mkdir rootfs | ||
docker export $(docker create busybox) | tar -C rootfs -xvf - | ||
``` | ||
|
||
Copy the example `config.json` file from the directory where this README.md is | ||
to the container directory you prepared earlier (`container-seccomp-notify`). | ||
This is a config.json as generated by `runc spec` at time of writing, with only | ||
the `args` and `seccomp` sections modified. | ||
|
||
Then start the container: | ||
```bash | ||
runc run mycontainerid | ||
``` | ||
|
||
The container will output something like this: | ||
```bash | ||
+ cd /dev/shm | ||
+ mkdir test-dir | ||
+ touch test-file | ||
+ chmod 777 test-file | ||
chmod: changing permissions of 'test-file': No medium found | ||
+ ls -l /dev/shm | ||
total 0 | ||
drwxr-xr-x 2 root root 40 Jul 21 14:09 test-dir-foo | ||
-rw-r--r-- 1 root root 0 Jul 21 14:09 test-file | ||
+ echo Note the agent added a suffix for the directory name and chmod fails | ||
Note the agent added a suffix for the directory name and chmod fails | ||
``` | ||
|
||
This shows a simple example that runs in /dev/shm just because it is a tmpfs in | ||
the example config.json. | ||
|
||
The agent makes all chmod calls fail with ENOMEDIUM, as the example output shows. | ||
|
||
For mkdir, the agent adds a "-foo" suffix: the container runs "mkdir test-dir" | ||
but the directory created is "test-dir-foo". |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,197 @@ | ||
{ | ||
"ociVersion": "1.0.2-dev", | ||
"process": { | ||
"terminal": true, | ||
"user": { | ||
"uid": 0, | ||
"gid": 0 | ||
}, | ||
"args": [ | ||
"sh", | ||
"-c", | ||
"set -x; cd /dev/shm; mkdir test-dir; touch test-file; chmod 777 test-file; ls -l /dev/shm; echo \"Note the agent added a suffix for the directory name and chmod fails\" " | ||
], | ||
"env": [ | ||
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", | ||
"TERM=xterm" | ||
], | ||
"cwd": "/", | ||
"capabilities": { | ||
"bounding": [ | ||
"CAP_AUDIT_WRITE", | ||
"CAP_KILL", | ||
"CAP_NET_BIND_SERVICE" | ||
], | ||
"effective": [ | ||
"CAP_AUDIT_WRITE", | ||
"CAP_KILL", | ||
"CAP_NET_BIND_SERVICE" | ||
], | ||
"inheritable": [ | ||
"CAP_AUDIT_WRITE", | ||
"CAP_KILL", | ||
"CAP_NET_BIND_SERVICE" | ||
], | ||
"permitted": [ | ||
"CAP_AUDIT_WRITE", | ||
"CAP_KILL", | ||
"CAP_NET_BIND_SERVICE" | ||
], | ||
"ambient": [ | ||
"CAP_AUDIT_WRITE", | ||
"CAP_KILL", | ||
"CAP_NET_BIND_SERVICE" | ||
] | ||
}, | ||
"rlimits": [ | ||
{ | ||
"type": "RLIMIT_NOFILE", | ||
"hard": 1024, | ||
"soft": 1024 | ||
} | ||
], | ||
"noNewPrivileges": true | ||
}, | ||
"root": { | ||
"path": "rootfs", | ||
"readonly": true | ||
}, | ||
"hostname": "runc", | ||
"mounts": [ | ||
{ | ||
"destination": "/proc", | ||
"type": "proc", | ||
"source": "proc" | ||
}, | ||
{ | ||
"destination": "/dev", | ||
"type": "tmpfs", | ||
"source": "tmpfs", | ||
"options": [ | ||
"nosuid", | ||
"strictatime", | ||
"mode=755", | ||
"size=65536k" | ||
] | ||
}, | ||
{ | ||
"destination": "/dev/pts", | ||
"type": "devpts", | ||
"source": "devpts", | ||
"options": [ | ||
"nosuid", | ||
"noexec", | ||
"newinstance", | ||
"ptmxmode=0666", | ||
"mode=0620", | ||
"gid=5" | ||
] | ||
}, | ||
{ | ||
"destination": "/dev/shm", | ||
"type": "tmpfs", | ||
"source": "shm", | ||
"options": [ | ||
"nosuid", | ||
"noexec", | ||
"nodev", | ||
"mode=1777", | ||
"size=65536k" | ||
] | ||
}, | ||
{ | ||
"destination": "/dev/mqueue", | ||
"type": "mqueue", | ||
"source": "mqueue", | ||
"options": [ | ||
"nosuid", | ||
"noexec", | ||
"nodev" | ||
] | ||
}, | ||
{ | ||
"destination": "/sys", | ||
"type": "sysfs", | ||
"source": "sysfs", | ||
"options": [ | ||
"nosuid", | ||
"noexec", | ||
"nodev", | ||
"ro" | ||
] | ||
}, | ||
{ | ||
"destination": "/sys/fs/cgroup", | ||
"type": "cgroup", | ||
"source": "cgroup", | ||
"options": [ | ||
"nosuid", | ||
"noexec", | ||
"nodev", | ||
"relatime", | ||
"ro" | ||
] | ||
} | ||
], | ||
"linux": { | ||
"seccomp": { | ||
"defaultAction": "SCMP_ACT_ALLOW", | ||
"listenerPath": "/run/seccomp-agent.socket", | ||
"listenerMetadata": "foo", | ||
"architectures": [ "SCMP_ARCH_X86", "SCMP_ARCH_X32" ], | ||
"syscalls": [ | ||
{ | ||
"names": [ "chmod", "fchmod", "fchmodat", "mkdir" ], | ||
"action": "SCMP_ACT_NOTIFY" | ||
} | ||
] | ||
}, | ||
"resources": { | ||
"devices": [ | ||
{ | ||
"allow": false, | ||
"access": "rwm" | ||
} | ||
] | ||
}, | ||
"namespaces": [ | ||
{ | ||
"type": "pid" | ||
}, | ||
{ | ||
"type": "network" | ||
}, | ||
{ | ||
"type": "ipc" | ||
}, | ||
{ | ||
"type": "uts" | ||
}, | ||
{ | ||
"type": "mount" | ||
}, | ||
{ | ||
"type": "cgroup" | ||
} | ||
], | ||
"maskedPaths": [ | ||
"/proc/acpi", | ||
"/proc/asound", | ||
"/proc/kcore", | ||
"/proc/keys", | ||
"/proc/latency_stats", | ||
"/proc/timer_list", | ||
"/proc/timer_stats", | ||
"/proc/sched_debug", | ||
"/sys/firmware", | ||
"/proc/scsi" | ||
], | ||
"readonlyPaths": [ | ||
"/proc/bus", | ||
"/proc/fs", | ||
"/proc/irq", | ||
"/proc/sys", | ||
"/proc/sysrq-trigger" | ||
] | ||
} | ||
} |
Oops, something went wrong.