| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Generate the OCI seccomp profile instead of directly the BPF filter. The
seccomp profile will be used consquently by the container runtime as
input in order to generate the BPF filter.
Example with mknod:
$ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson
$ seitan -s /tmp/seitan.sock -i /tmp/gluten
$ podman run --cap-drop ALL
--security-opt=seccomp=/tmp/scmp_prof.json \
--annotation run.oci.seccomp.receiver=/tmp/seitan.sock \
-ti fedora \
sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol'
/dev/lol
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Allow setting a different uid and gid for the socket, otherwise seitan
uses its own uid and gid.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
The error-check tests recompile and pass.
|
| |
|
|
|
|
|
|
|
| |
Otherwise we'll get EINVAL (as expected) -- reproducibly, at least,
when we handle more than one call.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
The filter tests recompile and pass.
|
|
|
|
| |
Remove all the *.gluten and *.bpf files and added the files to gitignore
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The tests for checking the filter build recompile and are successfull.
Changes:
- spotted a couple of bugs for adding the arguments in the filter
- readded function `filter_flush_args` to flush_args; this is needed
to distinguish when the arguments belong to the same block or are different
entries to the same syscall
- build the filter in a way that CMP_EQ corresponds to BPF_JEQ and we
don't need to awkwardly negate the operations (still TODO for AND_EQ)
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
| |
Use system mode as suggested by the documentation.
Added a note for directory permissions
|
|
|
|
|
|
|
|
|
|
| |
Similarly to namespace specifications, the special value "caller", as
well as login/group names and numeric UID/GIDs are supported.
Example of usage in demo/mknod.hjson. Light on checks and with some
TODOs left behind at the moment.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Starting from Linux 2.6 series, we have 20 bits of minor (not 32)
and the gap between low and high bits is 12 bits, meaning the high
ones are shifted by 20 (not 12).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
| |
Add echo abcd for connect demo.
Pull and make before running the demo.
|
| |
|
|\ |
|
| | |
|
| | |
|
|/
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
| |
Splited common functions in web/common.sh and created new script for
mknod demo. The demo uses the mount namespace of the caller.
Additionally, this removes extra commented lines in demo/mknod.hjson.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
./seitan-cooker demo/mknod.hjson demo/mknod.gluten demo/mknod.bpf
Start seitan with the socket option:
./seitan -s /tmp/seitan.sock -i demo/mknod.gluten
Start the container:
sudo rm -f /dev/lol
sudo chown $USER:$USER /tmp/seitan.sock
podman run -ti --runtime /usr/bin/crun \
--security-opt label=disable \
-v $(pwd)/test:/test \
--annotation run.oci.seccomp_bpf_data="$(base64 -w0 demo/mknod.bpf)" \
--annotation run.oci.seccomp.receiver=/tmp/seitan.sock fedora \
sh -c 'mknod /dev/lol c 1 7 && ls -l /dev/lol'
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
| |
Refactor OP_RETURN:
- merged OP_BLOCK and OP_CONT into OP_RETURN
- add desc field for op_return
- updated the demo files
|
|
|
|
|
|
|
|
|
| |
ops:
- update resolvefd with the description
- add debug prints
cooker:
- add emit_resolvefd when match has type FDPATH
|
| |
|
|
|
|
|
|
| |
...and terminate on EPOLLHUP.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
|
| |
While at it:
- directly assign 'fd' in eater from install_filter()
- turn op_cmp into a description-style thing
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
| |
If DIR already exists, just remove our entries.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|