seccomp: add support for SECCOMP_FILTER_FLAG_LOG

Signed-off-by: Alban Crequy <[email protected]>
opencontainers · Feb 22, 2022 · 40d8286 · 40d8286
1 parent 2436322
commit 40d8286
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 5 deletions.
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
@@ -33,6 +33,7 @@ type IDMap struct {
 type Seccomp struct {
  DefaultAction Action `json:"default_action"`
  Architectures []string `json:"architectures"`
+ Flags []string `json:"flags"`
  Syscalls []*Syscall `json:"syscalls"`
  DefaultErrnoRet *uint `json:"default_errno_ret"`
  ListenerPath string `json:"listener_path,omitempty"`

diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go
@@ -86,6 +86,18 @@ func InitSeccomp(config *configs.Seccomp) (int, error) {
  }
  }
 
+ // Add extra flags
+ for _, flag := range config.Flags {
+ switch flag {
+ case "SECCOMP_FILTER_FLAG_LOG":
+ if err := filter.SetLogBit(true); err != nil {
+ return -1, fmt.Errorf("error adding log flag to seccomp filter: %w", err)
+ }
+ default:
+ return -1, fmt.Errorf("seccomp flags %q not yet supported by runc", flag)
+ }
+ }
+
  // Unset no new privs bit
  if err := filter.SetNoNewPrivsBit(false); err != nil {
  return -1, fmt.Errorf("error setting no new privileges: %w", err)

diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
@@ -1016,14 +1016,19 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
  return nil, nil
  }
 
- // We don't currently support seccomp flags.
- if len(config.Flags) != 0 {
- return nil, errors.New("seccomp flags are not yet supported by runc")
- }
-
  newConfig := new(configs.Seccomp)
  newConfig.Syscalls = []*configs.Syscall{}
 
+ // We don't currently support all seccomp flags.
+ for _, flag := range config.Flags {
+ switch flag {
+ case "SECCOMP_FILTER_FLAG_LOG":
+ newConfig.Flags = append(newConfig.Flags, "SECCOMP_FILTER_FLAG_LOG")
+ default:
+ return nil, fmt.Errorf("seccomp flags %q not yet supported by runc", flag)
+ }
+ }
+
  if len(config.Architectures) > 0 {
  newConfig.Architectures = []string{}
  for _, arch := range config.Architectures {

diff --git a/tests/integration/seccomp.bats b/tests/integration/seccomp.bats
@@ -66,6 +66,24 @@ function teardown() {
  [[ "$output" == *"Network is down"* ]]
 }
 
+@test "runc run [seccomp] (SECCOMP_FILTER_FLAG_LOG)" {
+ requires_kernel 4.14 # SECCOMP_FILTER_FLAG_LOG appeared in Linux 4.14
+ update_config ' .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
+ | .process.noNewPrivileges = false
+ | .linux.seccomp = {
+ "defaultAction":"SCMP_ACT_ALLOW",
+ "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+ "flags":["SECCOMP_FILTER_FLAG_LOG"],
+ "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}]
+ }'
+
+ # This test checks that the log flag is accepted but does not check the
+ # audit log
+ runc run test_busybox
+ [ "$status" -ne 0 ]
+ [[ "$output" == *"mkdir:"*"/dev/shm/foo"*"Operation not permitted"* ]]
+}
+
 @test "runc run [seccomp] (SCMP_ACT_KILL)" {
  update_config ' .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
  | .process.noNewPrivileges = false