Add support for seccomp filter flags

crun supports seccomp filter flags since containers/crun@fefabff runc will get them with opencontainers/runc#3390 youki will get them with containers/youki#733 To support them generally, we now copy the flags during the seccomp setup, otherwise they will get lost. Signed-off-by: Sascha Grunert <[email protected]>
saschagrunert · Feb 23, 2022 · ca5e983 · ca5e983
1 parent 194ee74
commit ca5e983
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/pkg/seccomp/seccomp_linux.go b/pkg/seccomp/seccomp_linux.go
@@ -1,3 +1,4 @@
+//go:build seccomp
 // +build seccomp
 
 // SPDX-License-Identifier: Apache-2.0
@@ -120,6 +121,10 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error)
  return nil, err
  }
 
+ for _, flag := range config.Flags {
+ newConfig.Flags = append(newConfig.Flags, specs.LinuxSeccompFlag(flag))
+ }
+
  if len(config.ArchMap) != 0 {
  for _, a := range config.ArchMap {
  seccompArch, ok := nativeToSeccomp[arch]

diff --git a/pkg/seccomp/types.go b/pkg/seccomp/types.go
@@ -17,6 +17,7 @@ type Seccomp struct {
  Architectures []Arch `json:"architectures,omitempty"`
  ArchMap []Architecture `json:"archMap,omitempty"`
  Syscalls []*Syscall `json:"syscalls"`
+ Flags []string `json:"flags,omitempty"`
 }
 
 // Architecture is used to represent a specific architecture