Add Seccomp Notify support #1
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alban
force-pushed
the
alban/seccomp
branch
2 times, most recently
from
d53362d to
483dfbf
Compare
|
Thanks for the review @mauriciovasquezbernal ! I addressed your comments. Another change I'd like to make is on the State, to make it look like in the proposal:
|
Without this, Travis CI only works on the main repository (github.com/opencontainers/runtime-spec) but not on forks. It is useful to make Travis CI work on forks for contributors to be able to test their work before submitting a PR upstream. See: https://docs.travis-ci.com/user/languages/go#go-import-path Symptoms: ``` $ make docs go run ./.tool/version-doc.go > version.md .tool/version-doc.go:10:2: cannot find package "github.com/opencontainers/runtime-spec/specs-go" in any of: /home/travis/.gimme/versions/go1.11.13.linux.amd64/src/github.com/opencontainers/runtime-spec/specs-go (from $GOROOT) /home/travis/gopath/src/github.com/opencontainers/runtime-spec/specs-go (from $GOPATH) Makefile:53: recipe for target 'version.md' failed make: *** [version.md] Error 1 The command "make docs" exited with 2. ``` Signed-off-by: Alban Crequy <[email protected]>
There was a problem hiding this comment.
Some more minor comments, one important about the exec phase.
Should this PR also update the Lifecycle ?
This adds the specification for Seccomp Userspace Notification and the Golang bindings. This contains: - A new OCI hook "sendSeccompFd" used to pass the seccompfd to an external seccomp agent via the hook. - Additional SeccompState struct containing the container state and file descriptors passed for seccomp. This was discussed in the OCI Weekly Discussion on September 16th, 2020, see: - https://hackmd.io/El8Dd2xrTlCaCG59ns5cwg#September-16-2020 - https://docs.google.com/document/d/1xHw5GQjMj6ZKR-40aKmTWZRkvlPuzMGQRu-YpOFQc30/edit Documentation for this feature: - https://www.kernel.org/doc/html/v5.0/userspace-api/seccomp_filter.html#userspace-notification - man pages: seccomp_user_notif.2 at https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/log/?h=seccomp_user_notif - brauner's blog: https://brauner.github.io/2020/07/23/seccomp-notify.html This PR is an alternative proposal to PR 1038. Signed-off-by: Alban Crequy <[email protected]>
Fixup following reviews Signed-off-by: Alban Crequy <[email protected]>
|
I updated the branch based on reviews.
I am not sure. I didn't update it. |
|
Upstream PR 1073 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds the specification for Seccomp Userspace Notification and the Golang bindings. This contains:
This was discussed in the OCI Weekly Discussion on September 16th, 2020, see:
Documentation for this feature:
This PR is an alternative proposal to PR 1038.
Signed-off-by: Alban Crequy [email protected]