| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
Group the metadata information:
- simplify the json by removing the 'tag' and only using 'get' and 'set'
keys
- get uid and gid at runtime for the target ('caller'). This can be useful when
the the UID and GID of the target are only known at runtime and they
need to be used for setting the permissions of files
- updated example demo/mknod.hjson
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Similarly to namespace specifications, the special value "caller", as
well as login/group names and numeric UID/GIDs are supported.
Example of usage in demo/mknod.hjson. Light on checks and with some
TODOs left behind at the moment.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
| |
|
|
|
|
|
|
| |
Splited common functions in web/common.sh and created new script for
mknod demo. The demo uses the mount namespace of the caller.
Additionally, this removes extra commented lines in demo/mknod.hjson.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
./seitan-cooker demo/mknod.hjson demo/mknod.gluten demo/mknod.bpf
Start seitan with the socket option:
./seitan -s /tmp/seitan.sock -i demo/mknod.gluten
Start the container:
sudo rm -f /dev/lol
sudo chown $USER:$USER /tmp/seitan.sock
podman run -ti --runtime /usr/bin/crun \
--security-opt label=disable \
-v $(pwd)/test:/test \
--annotation run.oci.seccomp_bpf_data="$(base64 -w0 demo/mknod.bpf)" \
--annotation run.oci.seccomp.receiver=/tmp/seitan.sock fedora \
sh -c 'mknod /dev/lol c 1 7 && ls -l /dev/lol'
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|