Skip to content

Implement seccomp notify support #2682

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cyphar merged 7 commits into from
Sep 8, 2021
Merged

Implement seccomp notify support #2682

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c55530b
vendoring: Use libseccomp with notify support
alban Mar 19, 2021
4e7aeff
libcontainer/utils: introduce SendFds
mauriciovasquezbernal Nov 9, 2020
2b025c0
Implement Seccomp Notify
alban Sep 9, 2020
c64aaf0
libcontainer/specconv: extend SetupSeccomp tests
mauriciovasquezbernal Dec 3, 2020
e21a9ee
contrib: add sample seccomp agent
alban Sep 15, 2020
5ae831d
tests: add functional tests for seccomp
mauriciovasquezbernal Nov 19, 2020
00772ca
tests: add functional tests for seccomp notify
mauriciovasquezbernal Oct 26, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ vendor/pkg
/runc-*
contrib/cmd/recvtty/recvtty
contrib/cmd/sd-helper/sd-helper
contrib/cmd/seccompagent/seccompagent
man/man8
release
Vagrantfile
Expand Down
5 changes: 4 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,14 @@ GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(B
runc:
$(GO_BUILD) -o runc .

all: runc recvtty sd-helper
all: runc recvtty sd-helper seccompagent

recvtty sd-helper:
$(GO_BUILD) -o contrib/cmd/$@/$@ ./contrib/cmd/$@

seccompagent:
$(GO_BUILD) -o contrib/cmd/seccompagent/seccompagent ./contrib/cmd/seccompagent

static:
$(GO_BUILD_STATIC) -o runc .
$(GO_BUILD_STATIC) -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
Expand Down
62 changes: 62 additions & 0 deletions contrib/cmd/seccompagent/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# Seccomp Agent

## Warning

Please note this is an example agent, as such it is possible that specially
crafted messages can produce bad behaviour. Please use it as an example only.

Also, this agent is used for integration tests. Be aware that changing the
behaviour can break the integration tests.

## Get started

Compile runc and seccompagent:
```bash
make all
```

Run the seccomp agent in the background:
```bash
sudo ./contrib/cmd/seccompagent/seccompagent &
```

Prepare a container:
```bash
mkdir container-seccomp-notify
cd container-seccomp-notify
mkdir rootfs
docker export $(docker create busybox) | tar -C rootfs -xvf -
```

Copy the example `config.json` file from the directory where this README.md is
to the container directory you prepared earlier (`container-seccomp-notify`).
This is a config.json as generated by `runc spec` at time of writing, with only
the `args` and `seccomp` sections modified.

Then start the container:
```bash
runc run mycontainerid
```
Copy link
Copy Markdown
Member

@AkihiroSuda AkihiroSuda Jul 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we explain what user should do after starting the container?

e.g., run mkdir, chmod, ...

Copy link
Copy Markdown
Member

@rata rata Jul 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, will clarify that. Thanks!

Copy link
Copy Markdown
Member

@rata rata Jul 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simplified this. I added a config.json to the directory, referenced that to be used, simplified the command that is run and added here the expected output with a brief explanation.

Thanks!


The container will output something like this:
```bash
+ cd /dev/shm
+ mkdir test-dir
+ touch test-file
+ chmod 777 test-file
chmod: changing permissions of 'test-file': No medium found
+ ls -l /dev/shm
total 0
drwxr-xr-x 2 root root 40 Jul 21 14:09 test-dir-foo
-rw-r--r-- 1 root root 0 Jul 21 14:09 test-file
+ echo Note the agent added a suffix for the directory name and chmod fails
Note the agent added a suffix for the directory name and chmod fails
```

This shows a simple example that runs in /dev/shm just because it is a tmpfs in
the example config.json.

The agent makes all chmod calls fail with ENOMEDIUM, as the example output shows.

For mkdir, the agent adds a "-foo" suffix: the container runs "mkdir test-dir"
but the directory created is "test-dir-foo".
197 changes: 197 additions & 0 deletions contrib/cmd/seccompagent/config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,197 @@
{
"ociVersion": "1.0.2-dev",
"process": {
"terminal": true,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"sh",
"-c",
"set -x; cd /dev/shm; mkdir test-dir; touch test-file; chmod 777 test-file; ls -l /dev/shm; echo \"Note the agent added a suffix for the directory name and chmod fails\" "
Comment on lines +11 to +12
Copy link
Copy Markdown
Contributor

@kolyshkin kolyshkin Aug 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps it makes sense to add comments to at least mark those parts of the file that are specific to this demo. This includes this args section, and seccomp below. Anything else?

Copy link
Copy Markdown
Contributor

@kolyshkin kolyshkin Aug 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or, add a short script instead that would modify config.json to achieve what you need. You can see lots of examples of how to do it with jq in tests/integration

Copy link
Copy Markdown
Contributor

@kolyshkin kolyshkin Aug 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either way is fine with me -- I just want to be able to find out in 15+ years which parts are specific to the test, and which are whatever runc spec generated back in 2021 :)

Copy link
Copy Markdown
Member

@rata rata Aug 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, it is a config as generated by runc spec, with only the args and seccomp section modified. I stated that in the README so it is easy for our future selfs :-) (json can't include comments AFAIK).

Copy link
Copy Markdown
Member

@cyphar cyphar Sep 7, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think he meant that it would be nice if there was a simple script that did:

% runc spec
% jq '.process.args = [...]' <config.json | sponge config.json

Another option would be to put the test commands in a script and execute the script (copying it into the rootfs in the integration test) which would be even cleaner. Then you could just follow the style of the other integration tests where you simply add the configuration settings in the integration test rather than having a saved config.json in the test directory.

But we can always fix that separately (and having an explanation in the readme is probably sufficient for now).

EDIT: Ah this isn't used in tests at all. Yeah then it's fine (though a script to generate it would be nice).

Copy link
Copy Markdown
Member

@rata rata Sep 7, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I can do that in a follow-up PR :)

],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": "/",
"capabilities": {
"bounding": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"effective": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"inheritable": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"permitted": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"ambient": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
]
},
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1024,
"soft": 1024
}
],
"noNewPrivileges": true
},
"root": {
"path": "rootfs",
"readonly": true
},
"hostname": "runc",
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc"
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/shm",
"type": "tmpfs",
"source": "shm",
"options": [
"nosuid",
"noexec",
"nodev",
"mode=1777",
"size=65536k"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "cgroup",
"options": [
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
}
],
"linux": {
"seccomp": {
"defaultAction": "SCMP_ACT_ALLOW",
"listenerPath": "/run/seccomp-agent.socket",
"listenerMetadata": "foo",
"architectures": [ "SCMP_ARCH_X86", "SCMP_ARCH_X32" ],
"syscalls": [
{
"names": [ "chmod", "fchmod", "fchmodat", "mkdir" ],
"action": "SCMP_ACT_NOTIFY"
}
]
},
"resources": {
"devices": [
{
"allow": false,
"access": "rwm"
}
]
},
"namespaces": [
{
"type": "pid"
},
{
"type": "network"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
},
{
"type": "cgroup"
}
],
"maskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/proc/scsi"
],
"readonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
}
}
Loading