seccomp: set SPEC_ALLOW by default

If no seccomps flags are set in OCI runtime spec (not even the empty
set), set SPEC_ALLOW by default. Otherwise, use the flags set.

This mimics the crun behavior, and makes runc seccomp performance on par
with crun.

Signed-off-by: Kir Kolyshkin <[email protected]>

libcontainer/specconv/spec_linux.go

@@ -1020,16 +1020,22 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
  newConfig := new(configs.Seccomp)
  newConfig.Syscalls = []*configs.Syscall{}
 
- // The list of flags defined in runtime-spec is a subset of the flags
- // in the seccomp() syscall
- for _, flag := range config.Flags {
- switch flag {
- case "SECCOMP_FILTER_FLAG_TSYNC":
- // Tsync can be silently ignored
- case specs.LinuxSeccompFlagLog, specs.LinuxSeccompFlagSpecAllow:
- newConfig.Flags = append(newConfig.Flags, flag)
- default:
- return nil, fmt.Errorf("seccomp flag %q not yet supported by runc", flag)
+ if config.Flags == nil {
+ // No flags are set explicitly (not even the empty set);
+ // set the default of specs.LinuxSeccompFlagSpecAllow.
+ newConfig.Flags = []specs.LinuxSeccompFlag{specs.LinuxSeccompFlagSpecAllow}
+ } else {
+ // The list of flags defined in runtime-spec is a subset of the flags
+ // in the seccomp() syscall.
+ for _, flag := range config.Flags {
+ switch flag {
+ case "SECCOMP_FILTER_FLAG_TSYNC":
+ // Tsync can be silently ignored
+ case specs.LinuxSeccompFlagLog, specs.LinuxSeccompFlagSpecAllow:
+ newConfig.Flags = append(newConfig.Flags, flag)
+ default:
+ return nil, fmt.Errorf("seccomp flag %q not yet supported by runc", flag)
+ }
  }
  }
 

tests/integration/seccomp.bats

@@ -80,7 +80,7 @@ function teardown() {
  }'
 
  declare -A FLAGS=(
- ['REMOVE']=0 # No setting, use built-in default.
+ ['REMOVE']=4 # No setting, use built-in default.
  ['EMPTY']=0 # Empty set of flags.
  ['"SECCOMP_FILTER_FLAG_LOG"']=2
  ['"SECCOMP_FILTER_FLAG_SPEC_ALLOW"']=4