aboutgitcodelistschat:MatrixIRC
Commit message (Collapse)AuthorAgeFilesLines
* cooker: add chown and lchownAlice Frosi2023-08-252-1/+31
|
* demo: clean-up leftover filesAlice Frosi2023-08-242-1/+0
|
* gitignore: ignore .swp filesAlice Frosi2023-08-241-0/+1
|
* demo: clean-up the directoryAlice Frosi2023-08-249-133/+0
|
* cooker: generate OCI seccomp profileAlice Frosi2023-08-248-21/+560
| | | | | | | | | | | | | | | | | | Generate the OCI seccomp profile instead of directly the BPF filter. The seccomp profile will be used consquently by the container runtime as input in order to generate the BPF filter. Example with mknod: $ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson $ seitan -s /tmp/seitan.sock -i /tmp/gluten $ podman run --cap-drop ALL --security-opt=seccomp=/tmp/scmp_prof.json \ --annotation run.oci.seccomp.receiver=/tmp/seitan.sock \ -ti fedora \ sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol' /dev/lol Signed-off-by: Alice Frosi <afrosi@redhat.com>
* cooker: add flags with getoptsAlice Frosi2023-08-242-6/+88
|
* seitan: configure uid and gid for the socketAlice Frosi2023-08-241-4/+22
| | | | | | | Allow setting a different uid and gid for the socket, otherwise seitan uses its own uid and gid. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* test: fix test-error-checkAlice Frosi2023-07-144-109/+97
| | | | The error-check tests recompile and pass.
* common, ops: add error print and return if desc is emptyAlice Frosi2023-07-142-4/+11
|
* seitan: Zero out the request structure before SECCOMP_IOCTL_NOTIF_RECVStefano Brivio2023-07-051-0/+1
| | | | | | | Otherwise we'll get EINVAL (as expected) -- reproducibly, at least, when we handle more than one call. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan: If setfd is not set, don't add SECCOMP_ADDFD_FLAG_SETFDStefano Brivio2023-07-051-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test: fix filter testsAlice Frosi2023-07-042-45/+56
| | | | The filter tests recompile and pass.
* demo: clean-upAlice Frosi2023-07-0412-0/+2
| | | | Remove all the *.gluten and *.bpf files and added the files to gitignore
* Fix makefile for debug targetAlice Frosi2023-07-042-6/+4
|
* test: fix filter-build test and bugsAlice Frosi2023-07-039-124/+125
| | | | | | | | | | | | The tests for checking the filter build recompile and are successfull. Changes: - spotted a couple of bugs for adding the arguments in the filter - readded function `filter_flush_args` to flush_args; this is needed to distinguish when the arguments belong to the same block or are different entries to the same syscall - build the filter in a way that CMP_EQ corresponds to BPF_JEQ and we don't need to awkwardly negate the operations (still TODO for AND_EQ)
* README: Variable size for diagramStefano Brivio2023-07-031-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* vm-images: add connection to qemu:///systemAlice Frosi2023-06-291-2/+5
| | | | | Use system mode as suggested by the documentation. Added a note for directory permissions
* cooker, seitan: Add support for GID/UID in contextStefano Brivio2023-06-286-21/+93
| | | | | | | | | | Similarly to namespace specifications, the special value "caller", as well as login/group names and numeric UID/GIDs are supported. Example of usage in demo/mknod.hjson. Light on checks and with some TODOs left behind at the moment. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* vm-images: create script to setut fcos test VMAlice Frosi2023-06-282-0/+75
|
* common: move cmp_type_str in utilAlice Frosi2023-06-283-5/+6
|
* Update demosAlice Frosi2023-06-2818-5/+113
|
* cooker/match: Fix mask calculation for GNU_DEV_MINORStefano Brivio2023-06-271-2/+2
| | | | | | | | Starting from Linux 2.6 series, we have 20 bits of minor (not 32) and the gap between low and high bits is 12 bits, meaning the high ones are shifted by 20 (not 12). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* READMEStefano Brivio2023-06-211-39/+64
|
* READMEStefano Brivio2023-06-151-1/+1
|
* demo: Add read.hjson exampleStefano Brivio2023-06-151-0/+13
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* demo: script to download demoAlice Frosi2023-06-151-0/+9
|
* seitan: Fix typo in prepare_arg_clone()Stefano Brivio2023-06-141-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* demo: missing demo partAlice Frosi2023-06-142-0/+3
| | | | | Add echo abcd for connect demo. Pull and make before running the demo.
* demo: simplify and adjust scriptsAlice Frosi2023-06-144-29/+14
|
* Merge branch 'devel'Alice Frosi2023-06-144-10/+14
|\
| * cooker: fix initialization and variable typeAlice Frosi2023-06-142-7/+5
| |
| * demo: update demoAlice Frosi2023-06-142-3/+9
| |
* | Makefile: Fix buildStefano Brivio2023-06-141-1/+1
|/ | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: Fix up debugging messages for "return"Stefano Brivio2023-06-145-24/+47
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker/parse: Error out on 'continue' with value/error tagStefano Brivio2023-06-141-4/+4
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker/calls: Actually add io.{c,h}Stefano Brivio2023-06-142-0/+135
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker/filter: Stop the sock_filter cast madnessStefano Brivio2023-06-142-92/+65
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: Support for read(), OP_STORE, field-based filtersStefano Brivio2023-06-1413-231/+386
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* gluten: remove unused blk opAlice Frosi2023-06-121-1/+0
|
* filter: increment counter only if call has argsAlice Frosi2023-06-121-0/+2
|
* cooker: Pass arguments to filterStefano Brivio2023-06-097-11/+76
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* demo: with mknod and podmanAlice Frosi2023-06-094-105/+160
| | | | | | Splited common functions in web/common.sh and created new script for mknod demo. The demo uses the mount namespace of the caller. Additionally, this removes extra commented lines in demo/mknod.hjson.
* seitan,cooker: add wd to change work directory and mknodAlice Frosi2023-06-099-102/+132
| | | | | | | | | | | | | | | | | ./seitan-cooker demo/mknod.hjson demo/mknod.gluten demo/mknod.bpf Start seitan with the socket option: ./seitan -s /tmp/seitan.sock -i demo/mknod.gluten Start the container: sudo rm -f /dev/lol sudo chown $USER:$USER /tmp/seitan.sock podman run -ti --runtime /usr/bin/crun \ --security-opt label=disable \ -v $(pwd)/test:/test \ --annotation run.oci.seccomp_bpf_data="$(base64 -w0 demo/mknod.bpf)" \ --annotation run.oci.seccomp.receiver=/tmp/seitan.sock fedora \ sh -c 'mknod /dev/lol c 1 7 && ls -l /dev/lol'
* cooker: Full support for flags and masks, assorted fixesStefano Brivio2023-06-0812-52/+193
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* mknod/mknodat values, initial support for MASK flag, OP_BITWISEStefano Brivio2023-06-0711-87/+225
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan, cooker: refactor op_returnAlice Frosi2023-06-078-89/+76
| | | | | | | Refactor OP_RETURN: - merged OP_BLOCK and OP_CONT into OP_RETURN - add desc field for op_return - updated the demo files
* seitan,cooker: op_resolvefdAlice Frosi2023-06-078-18/+88
| | | | | | | | | ops: - update resolvefd with the description - add debug prints cooker: - add emit_resolvefd when match has type FDPATH
* web: generating connect demo with asciinemaAlice Frosi2023-06-071-0/+189
|
* seitan, main: Più umano più vero (more human more true)Stefano Brivio2023-06-071-20/+25
| | | | | | ...and terminate on EPOLLHUP. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* demo: Add mknod.hjsonStefano Brivio2023-06-061-0/+42
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-06 01:14:18 +0000