| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
This was a left over of the previous version
|
| |
|
| |
|
| |
|
|
|
|
|
| |
The logging mode creates a BPF filter where all the syscalls trigger a
notification to the seccomp notifier.
|
|
|
|
|
|
|
|
| |
OCI spec and container runtimes expect to send the seccomp notifer fd
through a unix socket. This mode is complementary of retrieving the file
descriptor using the pid of the target process.
Add option to log the syscalls.
|
| |
|
|
|
|
|
|
|
| |
Move find_fd_seccomp_notifier to common.c to be reused
in other places.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
Instead of assuming that the fd of the notifier is always 3, find the
correct fd from procfs.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The connect syscall was used to synchronize seitan and the eater for the
seccomp installation filter and notifier initialization. However, we
assume that the fd 0 is always free, and this might not always be the
case.
Try to implement an alternative and more robust solution.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
Repeatedly listen for seccomp notification events using epoll.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
| |
Avoid hardcoded values and set the option from command line:
Example:
./seitan -i action -p 1234
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
...the PROC_EVENT_EXEC we're looking for might be hiding there. Also,
avoid a possible endless loop on NLMSG_NOOP.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|