diff options
author | Alice Frosi <afrosi@redhat.com> | 2023-07-18 11:15:53 +0200 |
---|---|---|
committer | Alice Frosi <afrosi@redhat.com> | 2023-08-24 15:33:17 +0200 |
commit | 240eb94b44f9dc613a85911d4190df129372e9cc (patch) | |
tree | 2535780888d293b71aa5aadc70f2047f2a7f787b /cooker/match.c | |
parent | 3f2585770384586977483ec4c4b38fe4c3e5fc45 (diff) | |
download | seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.gz seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.bz2 seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.lz seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.xz seitan-240eb94b44f9dc613a85911d4190df129372e9cc.tar.zst seitan-240eb94b44f9dc613a85911d4190df129372e9cc.zip |
cooker: generate OCI seccomp profile
Generate the OCI seccomp profile instead of directly the BPF filter. The
seccomp profile will be used consquently by the container runtime as
input in order to generate the BPF filter.
Example with mknod:
$ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson
$ seitan -s /tmp/seitan.sock -i /tmp/gluten
$ podman run --cap-drop ALL
--security-opt=seccomp=/tmp/scmp_prof.json \
--annotation run.oci.seccomp.receiver=/tmp/seitan.sock \
-ti fedora \
sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol'
/dev/lol
Signed-off-by: Alice Frosi <afrosi@redhat.com>
Diffstat (limited to 'cooker/match.c')
-rw-r--r-- | cooker/match.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/cooker/match.c b/cooker/match.c index c83f9fe..eeedead 100644 --- a/cooker/match.c +++ b/cooker/match.c @@ -18,7 +18,7 @@ #include "util.h" #include "calls/net.h" - +#include "seccomp_profile.h" /** * arg_load() - Allocate and build bytecode for one syscall argument * @g: gluten context @@ -182,7 +182,7 @@ xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx emit_cmp(g, cmp, masked, cmp_offset, gluten_size[f->type], jump); - emit_bpf_arg(index, f->type, cmpterm, set, cmp); + emit_bpf_arg(index, f->type, cmpterm, set, cmp, g->mode); break; } @@ -213,7 +213,7 @@ xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx emit_cmp(g, cmp, data_offset, const_offset, gluten_size[f->type], jump); - emit_bpf_arg(index, f->type, v, mask, cmp); + emit_bpf_arg(index, f->type, v, mask, cmp, g->mode); break; case GNU_DEV_MAJOR: @@ -379,9 +379,17 @@ void handle_matches(struct gluten_ctx *g, JSON_Value *value) debug(" Found description for %s", name); emit_nr(g, emit_data(g, U64, 0, &v)); - filter_notify(call->number); + if (g->mode == SCMP_FILTER) + filter_notify(call->number); + else + scmp_profile_notify(call->name); + parse_match(g, args, call->args); - filter_flush_args(call->number); + + if (g->mode == SCMP_FILTER) + filter_flush_args(call->number); + else + scmp_profile_flush_args(); break; } |