From 240eb94b44f9dc613a85911d4190df129372e9cc Mon Sep 17 00:00:00 2001 From: Alice Frosi Date: Tue, 18 Jul 2023 11:15:53 +0200 Subject: cooker: generate OCI seccomp profile Generate the OCI seccomp profile instead of directly the BPF filter. The seccomp profile will be used consquently by the container runtime as input in order to generate the BPF filter. Example with mknod: $ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson $ seitan -s /tmp/seitan.sock -i /tmp/gluten $ podman run --cap-drop ALL --security-opt=seccomp=/tmp/scmp_prof.json \ --annotation run.oci.seccomp.receiver=/tmp/seitan.sock \ -ti fedora \ sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol' /dev/lol Signed-off-by: Alice Frosi --- cooker/match.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'cooker/match.c') diff --git a/cooker/match.c b/cooker/match.c index c83f9fe..eeedead 100644 --- a/cooker/match.c +++ b/cooker/match.c @@ -18,7 +18,7 @@ #include "util.h" #include "calls/net.h" - +#include "seccomp_profile.h" /** * arg_load() - Allocate and build bytecode for one syscall argument * @g: gluten context @@ -182,7 +182,7 @@ xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx emit_cmp(g, cmp, masked, cmp_offset, gluten_size[f->type], jump); - emit_bpf_arg(index, f->type, cmpterm, set, cmp); + emit_bpf_arg(index, f->type, cmpterm, set, cmp, g->mode); break; } @@ -213,7 +213,7 @@ xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx emit_cmp(g, cmp, data_offset, const_offset, gluten_size[f->type], jump); - emit_bpf_arg(index, f->type, v, mask, cmp); + emit_bpf_arg(index, f->type, v, mask, cmp, g->mode); break; case GNU_DEV_MAJOR: @@ -379,9 +379,17 @@ void handle_matches(struct gluten_ctx *g, JSON_Value *value) debug(" Found description for %s", name); emit_nr(g, emit_data(g, U64, 0, &v)); - filter_notify(call->number); + if (g->mode == SCMP_FILTER) + filter_notify(call->number); + else + scmp_profile_notify(call->name); + parse_match(g, args, call->args); - filter_flush_args(call->number); + + if (g->mode == SCMP_FILTER) + filter_flush_args(call->number); + else + scmp_profile_flush_args(); break; } -- cgit v1.2.3