Skip to content

Commit 32196c8

Browse files
kolyshkinkolyshkin
committed
seccomp: set SPEC_ALLOW by default
If no seccomps flags are set in OCI runtime spec (not even the empty set), set SPEC_ALLOW by default. Otherwise, use the flags set. This mimics the crun behavior, and makes runc seccomp performance on par with crun. Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit 9e97ec15843aa99ca16fc0588bd737d7d093e71e) Signed-off-by: Kir Kolyshkin <[email protected]>
1 parent e8471fb commit 32196c8

File tree

2 files changed

+17
-11
lines changed

2 files changed

+17
-11
lines changed

Diff for: libcontainer/specconv/spec_linux.go

+16-10
Original file line numberDiff line numberDiff line change
@@ -1018,16 +1018,22 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
10181018
newConfig := new(configs.Seccomp)
10191019
newConfig.Syscalls = []*configs.Syscall{}
10201020

1021-
// The list of flags defined in runtime-spec is a subset of the flags
1022-
// in the seccomp() syscall
1023-
for _, flag := range config.Flags {
1024-
switch flag {
1025-
case "SECCOMP_FILTER_FLAG_TSYNC":
1026-
// Tsync can be silently ignored
1027-
case specs.LinuxSeccompFlagLog, specs.LinuxSeccompFlagSpecAllow:
1028-
newConfig.Flags = append(newConfig.Flags, flag)
1029-
default:
1030-
return nil, fmt.Errorf("seccomp flag %q not yet supported by runc", flag)
1021+
if config.Flags == nil {
1022+
// No flags are set explicitly (not even the empty set);
1023+
// set the default of specs.LinuxSeccompFlagSpecAllow.
1024+
newConfig.Flags = []specs.LinuxSeccompFlag{specs.LinuxSeccompFlagSpecAllow}
1025+
} else {
1026+
// The list of flags defined in runtime-spec is a subset of the flags
1027+
// in the seccomp() syscall.
1028+
for _, flag := range config.Flags {
1029+
switch flag {
1030+
case "SECCOMP_FILTER_FLAG_TSYNC":
1031+
// Tsync can be silently ignored
1032+
case specs.LinuxSeccompFlagLog, specs.LinuxSeccompFlagSpecAllow:
1033+
newConfig.Flags = append(newConfig.Flags, flag)
1034+
default:
1035+
return nil, fmt.Errorf("seccomp flag %q not yet supported by runc", flag)
1036+
}
10311037
}
10321038
}
10331039

Diff for: tests/integration/seccomp.bats

+1-1
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,7 @@ function teardown() {
8080
}'
8181

8282
declare -A FLAGS=(
83-
['REMOVE']=0 # No setting, use built-in default.
83+
['REMOVE']=4 # No setting, use built-in default.
8484
['EMPTY']=0 # Empty set of flags.
8585
['"SECCOMP_FILTER_FLAG_LOG"']=2
8686
['"SECCOMP_FILTER_FLAG_SPEC_ALLOW"']=4

0 commit comments

Comments
 (0)