Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TEST] SeccompProfile CRD: add new fields for seccomp notify #1

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[TEST] SeccompProfile CRD: add new fields for seccomp notify #1

wants to merge 1 commit into from

Conversation

alban
Copy link
Member

@alban alban commented Feb 2, 2022
edited
Loading

Seccomp notify is a new feature in container runtimes introduced by

This patch adds:

  • The new seccomp action SCMP_ACT_NOTIFY to defer the decision to a
    seccomp agent
  • The ListenerPath and ListenerMetadata fields so the runtime can
    contact the seccomp agent.

Note that the flag SECCOMP_FILTER_FLAG_NEW_LISTENER is not added. See
https://github.com/opencontainers/runtime-spec PR 1096 for details.

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Does this PR have test?

Special notes for your reviewer:

Does this PR introduce a user-facing change?

rata
rata approved these changes Feb 2, 2022
View reviewed changes
Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alban awesome, thanks for doing this!

LGTM. Just a simple comment of a flag that must not be added (it is confusing, and there are already mistakes done in the OCI seccomp flags).

But that should be trivial, from my POV feel free to fix that and just open the PR upstream

api/seccompprofile/v1beta1/seccompprofile_types.go Outdated
@@ -64,7 +68,7 @@ type SeccompProfileSpec struct {
// +kubebuilder:validation:Enum=SCMP_ARCH_NATIVE;SCMP_ARCH_X86;SCMP_ARCH_X86_64;SCMP_ARCH_X32;SCMP_ARCH_ARM;SCMP_ARCH_AARCH64;SCMP_ARCH_MIPS;SCMP_ARCH_MIPS64;SCMP_ARCH_MIPS64N32;SCMP_ARCH_MIPSEL;SCMP_ARCH_MIPSEL64;SCMP_ARCH_MIPSEL64N32;SCMP_ARCH_PPC;SCMP_ARCH_PPC64;SCMP_ARCH_PPC64LE;SCMP_ARCH_S390;SCMP_ARCH_S390X;SCMP_ARCH_PARISC;SCMP_ARCH_PARISC64;SCMP_ARCH_RISCV64
type Arch string

// +kubebuilder:validation:Enum=SECCOMP_FILTER_FLAG_TSYNC;SECCOMP_FILTER_FLAG_LOG;SECCOMP_FILTER_FLAG_SPEC_ALLOW
// +kubebuilder:validation:Enum=SECCOMP_FILTER_FLAG_TSYNC;SECCOMP_FILTER_FLAG_LOG;SECCOMP_FILTER_FLAG_SPEC_ALLOW;SECCOMP_FILTER_FLAG_NEW_LISTENER
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shouldn't be added. See this PR: opencontainers/runtime-spec#1096

deploy/base/crds/seccompprofile.yaml Outdated
@@ -97,8 +98,16 @@ spec:
- SECCOMP_FILTER_FLAG_TSYNC
- SECCOMP_FILTER_FLAG_LOG
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
- SECCOMP_FILTER_FLAG_NEW_LISTENER
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idem, please remove

deploy/namespace-operator.yaml Outdated
@@ -308,8 +309,16 @@ spec:
- SECCOMP_FILTER_FLAG_TSYNC
- SECCOMP_FILTER_FLAG_LOG
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
- SECCOMP_FILTER_FLAG_NEW_LISTENER
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idem, remove

deploy/openshift-dev.yaml Outdated
@@ -308,8 +309,16 @@ spec:
- SECCOMP_FILTER_FLAG_TSYNC
- SECCOMP_FILTER_FLAG_LOG
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
- SECCOMP_FILTER_FLAG_NEW_LISTENER
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idem

deploy/openshift.yaml Outdated
@@ -308,8 +309,16 @@ spec:
- SECCOMP_FILTER_FLAG_TSYNC
- SECCOMP_FILTER_FLAG_LOG
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
- SECCOMP_FILTER_FLAG_NEW_LISTENER
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idem

deploy/operator.yaml Outdated
@@ -308,8 +309,16 @@ spec:
- SECCOMP_FILTER_FLAG_TSYNC
- SECCOMP_FILTER_FLAG_LOG
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
- SECCOMP_FILTER_FLAG_NEW_LISTENER
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idem

@alban alban force-pushed the alban_notify branch 2 times, most recently from b27da39 to 294bb86 Compare February 2, 2022 16:33
@alban
SeccompProfile CRD: add new fields for seccomp notify
c7c99b8 
Seccomp notify is a new feature in container runtimes introduced by
- https://github.com/opencontainers/runtime-spec PR 1074
- https://github.com/opencontainers/runc PR 2682 (available in runc 1.1.0)

This patch adds:
- The new seccomp action SCMP_ACT_NOTIFY to defer the decision to a
  seccomp agent
- The ListenerPath and ListenerMetadata fields so the runtime can
  contact the seccomp agent.

Note that the flag SECCOMP_FILTER_FLAG_NEW_LISTENER is not added. See
https://github.com/opencontainers/runtime-spec PR 1096 for details.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rata rata rata approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alban @rata