diff options
author | Alice Frosi <afrosi@redhat.com> | 2023-07-18 11:15:53 +0200 |
---|---|---|
committer | Alice Frosi <afrosi@redhat.com> | 2023-08-24 15:33:17 +0200 |
commit | 240eb94b44f9dc613a85911d4190df129372e9cc (patch) | |
tree | 2535780888d293b71aa5aadc70f2047f2a7f787b /cooker/main.c | |
parent | 3f2585770384586977483ec4c4b38fe4c3e5fc45 (diff) | |
download | seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.gz seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.bz2 seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.lz seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.xz seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.zst seitan-240eb94b44f9dc613a85911d4190df129372e9cc.zip |
cooker: generate OCI seccomp profile
Generate the OCI seccomp profile instead of directly the BPF filter. The
seccomp profile will be used consquently by the container runtime as
input in order to generate the BPF filter.
Example with mknod:
$ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson
$ seitan -s /tmp/seitan.sock -i /tmp/gluten
$ podman run --cap-drop ALL
--security-opt=seccomp=/tmp/scmp_prof.json \
--annotation run.oci.seccomp.receiver=/tmp/seitan.sock \
-ti fedora \
sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol'
/dev/lol
Signed-off-by: Alice Frosi <afrosi@redhat.com>
Diffstat (limited to 'cooker/main.c')
-rw-r--r-- | cooker/main.c | 39 |
1 files changed, 28 insertions, 11 deletions
diff --git a/cooker/main.c b/cooker/main.c index 85c4746..5c099ff 100644 --- a/cooker/main.c +++ b/cooker/main.c @@ -17,20 +17,23 @@ #include "gluten.h" #include "parse.h" #include "filter.h" +#include "seccomp_profile.h" /* Cooker options */ static struct option options[] = { { "input", required_argument, NULL, 'i' }, { "gluten", required_argument, NULL, 'g' }, { "filter", required_argument, NULL, 'f' }, - { "scmp-profile", required_argument, NULL, 'p' }, + { "scmp-out-prof", required_argument, NULL, 'p' }, + { "scmp-orig-prof", required_argument, NULL, 's' }, //??? is required }; struct arguments { char *input_file; char *gluten_file; char *filter_file; - char *scmp_profile_file; + char *scmp_prof_file; + char *orig_scmp_prof_file; }; static void usage() @@ -38,10 +41,11 @@ static void usage() printf("seitan-cooker: generate the BPF filters or seccomp profile and the action byte code for seitan\n" "Example: setain-cooker -i <input file> -g <gluten_file> -f <filter_file>\n" "Usage:\n" - "\t-i, --input:\tJSON input file\n" - "\t-g, --gluten:\tBytecode file for seitan action\n" - "\t-f, --filter:\tBPF filter file (cannot be used together with scmp-profile)\n" - "\t-p, --scmp-profile:\tSeccomp profile file (cannot be used together with filter)\n"); + "\t-i, --input:\t\tJSON input file\n" + "\t-g, --gluten:\t\tBytecode file for seitan action\n" + "\t-f, --filter:\t\tBPF filter file (cannot be used together with scmp-profile)\n" + "\t-p, --scmp-prof:\tSeccomp profile file (cannot be used together with filter)\n" + "\t-s, --scmp-orig-prof:\tOriginal seccomp profile (ignored if used with filter)\n"); exit(EXIT_FAILURE); } @@ -51,7 +55,7 @@ static void parse(int argc, char **argv, struct arguments *arguments) int oc; if (arguments == NULL) usage(); - while ((oc = getopt_long(argc, argv, ":i:g:f:p:", options, + while ((oc = getopt_long(argc, argv, ":i:g:f:p:s:", options, &option_index)) != -1) { switch (oc) { case 'i': @@ -64,7 +68,10 @@ static void parse(int argc, char **argv, struct arguments *arguments) arguments->filter_file = optarg; break; case 'p': - arguments->scmp_profile_file = optarg; + arguments->scmp_prof_file = optarg; + break; + case 's': + arguments->orig_scmp_prof_file = optarg; break; default: usage(); @@ -75,12 +82,12 @@ static void parse(int argc, char **argv, struct arguments *arguments) usage(); } if (arguments->filter_file != NULL && - arguments->scmp_profile_file != NULL) { + arguments->scmp_prof_file != NULL) { err("the filter and scmp-profile options cannot be used together"); usage(); } if (arguments->filter_file == NULL && - arguments->scmp_profile_file == NULL) { + arguments->scmp_prof_file == NULL) { err("select one of the options between filter and scmp-profile"); usage(); } @@ -104,12 +111,22 @@ int main(int argc, char **argv) parse(argc, argv, &arguments); + if (arguments.filter_file != NULL) { + g.mode = SCMP_FILTER; + } else { + g.mode = SCMP_PROFILE; + scmp_profile_init(arguments.orig_scmp_prof_file); + } + gluten_init(&g); parse_file(&g, arguments.input_file); gluten_write(&g, arguments.gluten_file); - filter_write(arguments.filter_file); + if (arguments.filter_file != NULL) + filter_write(arguments.filter_file); + else + scmp_profile_write(arguments.scmp_prof_file); return 0; } |