diff options
author | Alice Frosi <afrosi@redhat.com> | 2023-07-18 11:15:53 +0200 |
---|---|---|
committer | Alice Frosi <afrosi@redhat.com> | 2023-08-24 15:33:17 +0200 |
commit | 240eb94b44f9dc613a85911d4190df129372e9cc (patch) | |
tree | 2535780888d293b71aa5aadc70f2047f2a7f787b /common | |
parent | 3f2585770384586977483ec4c4b38fe4c3e5fc45 (diff) | |
download | seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.gz seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.bz2 seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.lz seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.xz seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.zst seitan-240eb94b44f9dc613a85911d4190df129372e9cc.zip |
cooker: generate OCI seccomp profile
Generate the OCI seccomp profile instead of directly the BPF filter. The
seccomp profile will be used consquently by the container runtime as
input in order to generate the BPF filter.
Example with mknod:
$ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson
$ seitan -s /tmp/seitan.sock -i /tmp/gluten
$ podman run --cap-drop ALL
--security-opt=seccomp=/tmp/scmp_prof.json \
--annotation run.oci.seccomp.receiver=/tmp/seitan.sock \
-ti fedora \
sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol'
/dev/lol
Signed-off-by: Alice Frosi <afrosi@redhat.com>
Diffstat (limited to 'common')
-rw-r--r-- | common/util.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/common/util.h b/common/util.h index b11edb6..a587665 100644 --- a/common/util.h +++ b/common/util.h @@ -8,6 +8,7 @@ #include <string.h> #include <stdint.h> +#include <stdlib.h> #include <errno.h> #define BIT(n) (1UL << (n)) |