cooker: generate OCI seccomp profile

Generate the OCI seccomp profile instead of directly the BPF filter. The
seccomp profile will be used consquently by the container runtime as
input in order to generate the BPF filter.

Example with mknod:
$ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson
$ seitan -s /tmp/seitan.sock -i /tmp/gluten
$ podman run --cap-drop ALL
  --security-opt=seccomp=/tmp/scmp_prof.json  \
  --annotation run.oci.seccomp.receiver=/tmp/seitan.sock  \
  -ti fedora   \
  sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol'
/dev/lol

Signed-off-by: Alice Frosi <afrosi@redhat.com>

1 files changed, 12 insertions, 2 deletions

diff --git a/cooker/emit.c b/cooker/emit.c
index 28afd29..ce325f1 100644
--- a/cooker/emit.c
+++ b/cooker/emit.c
@@ -14,6 +14,7 @@
 #include "filter.h"
 #include "util.h"
 #include "emit.h"
+#include "seccomp_profile.h"
 
 static const char *type_str[] = {
 	"UNDEF", "NONE",
@@ -549,8 +550,8 @@ static void gluten_link(struct gluten_ctx *g, enum jump_type type,
 	}
 }
 
-void emit_bpf_arg(int index, enum type type, union value v, union value mask,
-		  enum op_cmp_type cmp)
+static void emit_bpf_filter_arg(int index, enum type type, union value v,
+				union value mask, enum op_cmp_type cmp)
 {
 	struct bpf_field bpf;
 
@@ -575,6 +576,15 @@ void emit_bpf_arg(int index, enum type type, union value v, union value mask,
 	filter_add_check(&bpf);
 }
 
+void emit_bpf_arg(int index, enum type type, union value v, union value mask,
+		  enum op_cmp_type cmp, enum scmp_mode mode)
+{
+	if (mode == SCMP_FILTER)
+		emit_bpf_filter_arg(index, type, v, mask, cmp);
+	else
+		scmp_profile_add_check(index, v, mask, cmp);
+}
+
 void link_block(struct gluten_ctx *g)
 {
 	debug(" Linking block...");