feat: add a syscall allow list in the SPOD configuration

api/spod/v1alpha1/spod_types.go

@@ -87,6 +87,10 @@ type SPODSpec struct {
 	// SPO's webhooks
 	// +optional
 	WebhookOpts []WebhookOptions `json:"webhookOptions,omitempty"`
+	// AllowedSyscalls if specified, a list of system calls which are allowed
+	// in seccomp profiles.
+	// +optional
+	AllowedSyscalls []string `json:"allowedSyscalls,omitempty"`
 }
 
 // SPODState defines the state that the spod is in.

bundle/manifests/security-profiles-operator.x-k8s.io_securityprofilesoperatordaemons.yaml

@@ -43,6 +43,12 @@ spec:
           spec:
             description: SPODStatus defines the desired state of SPOD.
             properties:
+              allowedSyscalls:
+                description: AllowedSyscalls if specified, a list of system calls
+                  which are allowed in seccomp profiles.
+                items:
+                  type: string
+                type: array
               enableAppArmor:
                 description: tells the operator whether or not to enable AppArmor
                   support for this SPOD instance.

bundle/manifests/spod_rbac.authorization.k8s.io_v1_clusterrole.yaml

@@ -114,6 +114,7 @@ rules:
   - seccompprofiles
   verbs:
   - create
+  - delete
   - get
   - list
   - patch

deploy/base/crds/securityprofilesoperatordaemon.yaml

@@ -41,6 +41,12 @@ spec:
           spec:
             description: SPODStatus defines the desired state of SPOD.
             properties:
+              allowedSyscalls:
+                description: AllowedSyscalls if specified, a list of system calls
+                  which are allowed in seccomp profiles.
+                items:
+                  type: string
+                type: array
               enableAppArmor:
                 description: tells the operator whether or not to enable AppArmor
                   support for this SPOD instance.

deploy/base/role.yaml

@@ -364,6 +364,7 @@ rules:
   - seccompprofiles
   verbs:
   - create
+  - delete
   - get
   - list
   - patch

deploy/namespace-operator.yaml

@@ -583,6 +583,12 @@ spec:
           spec:
             description: SPODStatus defines the desired state of SPOD.
             properties:
+              allowedSyscalls:
+                description: AllowedSyscalls if specified, a list of system calls
+                  which are allowed in seccomp profiles.
+                items:
+                  type: string
+                type: array
               enableAppArmor:
                 description: tells the operator whether or not to enable AppArmor
                   support for this SPOD instance.
@@ -1505,6 +1511,7 @@ rules:
   - seccompprofiles
   verbs:
   - create
+  - delete
   - get
   - list
   - patch

deploy/openshift-dev.yaml

@@ -583,6 +583,12 @@ spec:
           spec:
             description: SPODStatus defines the desired state of SPOD.
             properties:
+              allowedSyscalls:
+                description: AllowedSyscalls if specified, a list of system calls
+                  which are allowed in seccomp profiles.
+                items:
+                  type: string
+                type: array
               enableAppArmor:
                 description: tells the operator whether or not to enable AppArmor
                   support for this SPOD instance.
@@ -1505,6 +1511,7 @@ rules:
   - seccompprofiles
   verbs:
   - create
+  - delete
   - get
   - list
   - patch

deploy/operator.yaml

@@ -583,6 +583,12 @@ spec:
           spec:
             description: SPODStatus defines the desired state of SPOD.
             properties:
+              allowedSyscalls:
+                description: AllowedSyscalls if specified, a list of system calls
+                  which are allowed in seccomp profiles.
+                items:
+                  type: string
+                type: array
               enableAppArmor:
                 description: tells the operator whether or not to enable AppArmor
                   support for this SPOD instance.
@@ -1505,6 +1511,7 @@ rules:
   - seccompprofiles
   verbs:
   - create
+  - delete
   - get
   - list
   - patch

examples/seccompprofile-allowed-syscalls-change.yaml

@@ -0,0 +1,17 @@
+apiVersion: security-profiles-operator.x-k8s.io/v1beta1
+kind: SeccompProfile
+metadata:
+  name: profile-allowed-syscalls
+  annotations:
+    description: "profile with allowed syscalls"
+spec:
+  defaultAction: SCMP_ACT_ERRNO
+  architectures:
+  - SCMP_ARCH_X86_64
+  syscalls:
+  - action: SCMP_ACT_ALLOW
+    names:
+    - exit
+    - exit_group
+    - futex
+    - nanosleep

examples/seccompprofile-allowed-syscalls-validation.yaml

@@ -0,0 +1,58 @@
+apiVersion: security-profiles-operator.x-k8s.io/v1beta1
+kind: SeccompProfile
+metadata:
+  name: profile-allowed-syscalls
+  annotations:
+    description: "profile with allowed syscalls"
+spec:
+  defaultAction: SCMP_ACT_ERRNO
+  architectures:
+  - SCMP_ARCH_X86_64
+  syscalls:
+  - action: SCMP_ACT_ALLOW
+    names:
+    - exit
+    - exit_group
+    - futex
+    - nanosleep
+---
+apiVersion: security-profiles-operator.x-k8s.io/v1beta1
+kind: SeccompProfile
+metadata:
+  name: profile-denied-syscalls
+  annotations:
+    description: "profile with denied syscalls"
+spec:
+  defaultAction: SCMP_ACT_ERRNO
+  architectures:
+  - SCMP_ARCH_X86_64
+  syscalls:
+  - action: SCMP_ACT_ALLOW
+    names:
+    - exit
+    - exit_group
+    - futex
+    - nanosleep
+    - bpf
+  - action: SCMP_ACT_ERRNO
+    names:
+    - acct
+    - add_key
+---
+apiVersion: security-profiles-operator.x-k8s.io/v1beta1
+kind: SeccompProfile
+metadata:
+  name: profile-allow-all-syscalls
+  annotations:
+    description: "profile with all syscalls allowed"
+spec:
+  defaultAction: "SCMP_ACT_ALLOW"
+---
+apiVersion: security-profiles-operator.x-k8s.io/v1beta1
+kind: SeccompProfile
+metadata:
+  name: profile-block-all-syscalls
+  annotations:
+    description: "Blocks all syscalls."
+spec:
+  defaultAction: "SCMP_ACT_ERRNO"

installation-usage.md

@@ -9,6 +9,7 @@
   - [Installation using OLM using upstream catalog and bundle](#installation-using-olm-using-upstream-catalog-and-bundle)
 - [Set logging verbosity](#set-logging-verbosity)
 - [Configure the SELinux type](#configure-the-selinux-type)
+- [Restrict the allowed syscalls in seccomp profiles](#restrict-the-allowed-syscalls-in-seccomp-profiles)
 - [Create Profile](#create-profile)
   - [Apply profile to pod](#apply-profile-to-pod)
   - [Base syscalls for a container runtime](#base-syscalls-for-a-container-runtime)
@@ -151,6 +152,23 @@ The `ds/spod` should now be updated by the manager with the new SELinux type, an
             type: unconfined_t
 ```
 
+## Restrict the allowed syscalls in seccomp profiles
+
+The operator doesn't restrict by default the allowed syscalls in the seccomp profiles. This means that any
+syscall can be allowed in a seccomp profile installed via the operator. This can be changed by defining the 
+list of allowed syscalls in the spod configuration as follows:
+
+```
+kubectl -n security-profiles-operator patch spod spod --type merge -p 
+'{"spec":{"allowedSyscalls": ["exit", "exit_group", "futex", "nanosleep"]}}'
+```
+
+From now on, the operator will only install the seccomp profiles which have only a subset of syscalls defined
+into the allowed list. All profiles not complying with this rule, it will be rejected. 
+
+Also every time when the list of allowed syscalls is modified in the spod configuration, the operator will 
+automatically identify the already installed profiles which are not compliant and remove them.
+
 ## Create Profile
 
 Use the `SeccompProfile` kind to create profiles. Example: