| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix the starting index, otherwise we miss the first call in sets
(say, mknod in filesystem calls).
And if we don't find a matching name for the system call, actually
return it, instead of trying to fetch it from the current (invalid)
call.
Fixes: bdbec30a8498 ("seitan: Add netlink, sendto()/sendmsg(), iovec handling, demo with routes")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
|
| |
Mostly assorted fixes, a new FDGET operation (get a copy of the
target file descriptor via pidfd_getfd()) and a new "FD" flag that
means we have to do that on direct tag reference.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
| |
A bit rough at the moment, but it does the trick. Bonus: setsockopt()
(with magic values only, not used in any demo yet).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
...including the check on whether the given object is a top-level
(corresponding to a full argument) metadata tag.
Fixes: d3917582873d ("cooker: simplify tag and add caller metadata")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
| |
...no examples yet, but it's trivial as the prototype is exactly the
same as connect().
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The sched_setscheduler requires to set the pid of the process we want to
change the priority, this adds a new metadata for getting the target pid
at runtime.
Add a couple of syscalls for the scheduler in the string parsing.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| | |
|
| |
|
|
|
|
| |
Fixes:
- return an error message in do_clone instead of exit
- check if the type of context is out-of-bound
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Group the metadata information:
- simplify the json by removing the 'tag' and only using 'get' and 'set'
keys
- get uid and gid at runtime for the target ('caller'). This can be useful when
the the UID and GID of the target are only known at runtime and they
need to be used for setting the permissions of files
- updated example demo/mknod.hjson
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Generate the OCI seccomp profile instead of directly the BPF filter. The
seccomp profile will be used consquently by the container runtime as
input in order to generate the BPF filter.
Example with mknod:
$ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson
$ seitan -s /tmp/seitan.sock -i /tmp/gluten
$ podman run --cap-drop ALL
--security-opt=seccomp=/tmp/scmp_prof.json \
--annotation run.oci.seccomp.receiver=/tmp/seitan.sock \
-ti fedora \
sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol'
/dev/lol
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| | |
|
| |
|
|
|
|
|
| |
Allow setting a different uid and gid for the socket, otherwise seitan
uses its own uid and gid.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| |
|
|
| |
The error-check tests recompile and pass.
|
| | |
|
| |
|
|
|
|
|
| |
Otherwise we'll get EINVAL (as expected) -- reproducibly, at least,
when we handle more than one call.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
The filter tests recompile and pass.
|
| |
|
|
| |
Remove all the *.gluten and *.bpf files and added the files to gitignore
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The tests for checking the filter build recompile and are successfull.
Changes:
- spotted a couple of bugs for adding the arguments in the filter
- readded function `filter_flush_args` to flush_args; this is needed
to distinguish when the arguments belong to the same block or are different
entries to the same syscall
- build the filter in a way that CMP_EQ corresponds to BPF_JEQ and we
don't need to awkwardly negate the operations (still TODO for AND_EQ)
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
| |
Use system mode as suggested by the documentation.
Added a note for directory permissions
|
| |
|
|
|
|
|
|
|
|
| |
Similarly to namespace specifications, the special value "caller", as
well as login/group names and numeric UID/GIDs are supported.
Example of usage in demo/mknod.hjson. Light on checks and with some
TODOs left behind at the moment.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Starting from Linux 2.6 series, we have 20 bits of minor (not 32)
and the gap between low and high bits is 12 bits, meaning the high
ones are shifted by 20 (not 12).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
| |
Add echo abcd for connect demo.
Pull and make before running the demo.
|
| | |
|
| |\ |
|
| | | |
|
| | | |
|
