api: implement seccomp adjustment via json string

a much less boilerplate-y version of seccomp policy adjustment Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
tych0 · Nov 22, 2024 · a70547a · a70547a
1 parent 6d486ac
commit a70547a
Show file tree

Hide file tree

Showing 5 changed files with 459 additions and 334 deletions.
diff --git a/pkg/adaptation/result.go b/pkg/adaptation/result.go
@@ -219,6 +219,9 @@ func (r *result) adjust(rpl *ContainerAdjustment, plugin string) error {
 		if err := r.adjustOomScoreAdj(rpl.Linux.OomScoreAdj, plugin); err != nil {
 			return err
 		}
+		if err := r.adjustSeccompPolicy(rpl.Linux.SeccompPolicy, plugin); err != nil {
+			return err
+		}
 	}
 	if err := r.adjustRlimits(rpl.Rlimits, plugin); err != nil {
 		return err
@@ -738,6 +741,22 @@ func (r *result) adjustOomScoreAdj(OomScoreAdj *OptionalInt, plugin string) erro
 	return nil
 }
 
+func (r *result) adjustSeccompPolicy(adjustment *OptionalString, plugin string) error {
+	if adjustment == nil {
+		return nil
+	}
+	create, id := r.request.create, r.request.create.Container.Id
+
+	if err := r.owners.claimSeccompPolicy(id, plugin); err != nil {
+		return err
+	}
+
+	create.Container.Linux.SeccompPolicy = adjustment.Value
+	r.reply.adjust.Linux.SeccompPolicy = adjustment
+
+	return nil
+}
+
 func (r *result) adjustRlimits(rlimits []*POSIXRlimit, plugin string) error {
 	create, id, adjust := r.request.create, r.request.create.Container.Id, r.reply.adjust
 	for _, l := range rlimits {
@@ -976,6 +995,7 @@ type owners struct {
 	unified             map[string]string
 	cgroupsPath         string
 	oomScoreAdj         string
+	seccompPolicy       string
 	rlimits             map[string]string
 }
 
@@ -1096,6 +1116,10 @@ func (ro resultOwners) claimOomScoreAdj(id, plugin string) error {
 	return ro.ownersFor(id).claimOomScoreAdj(plugin)
 }
 
+func (ro resultOwners) claimSeccompPolicy(id, plugin string) error {
+	return ro.ownersFor(id).claimSeccompPolicy(plugin)
+}
+
 func (ro resultOwners) claimRlimits(id, typ, plugin string) error {
 	return ro.ownersFor(id).claimRlimit(typ, plugin)
 }
@@ -1349,6 +1373,14 @@ func (o *owners) claimOomScoreAdj(plugin string) error {
 	return nil
 }
 
+func (o *owners) claimSeccompPolicy(plugin string) error {
+	if other := o.seccompPolicy; other != "" {
+		return conflict(plugin, other, "seccomp policy")
+	}
+	o.seccompPolicy = plugin
+	return nil
+}
+
 func (ro resultOwners) clearAnnotation(id, key string) {
 	ro.ownersFor(id).clearAnnotation(key)
 }