Use containers/common for seccomp handling

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/checkpoint-restore/go-criu/v4 v4.1.0
 	github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775
 	github.com/containerd/console v1.0.0
+	github.com/containers/common v0.21.0
 	github.com/coreos/go-systemd/v22 v22.1.0
 	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/docker/go-units v0.4.0
@@ -16,7 +17,7 @@ require (
 	github.com/opencontainers/runtime-spec v1.0.3-0.20200728170252-4d89ac9fbff6
 	github.com/opencontainers/selinux v1.6.0
 	github.com/pkg/errors v0.9.1
-	github.com/seccomp/libseccomp-golang v0.9.1
+	github.com/seccomp/libseccomp-golang v0.9.2-0.20200616122406-847368b35ebf
 	github.com/sirupsen/logrus v1.6.0
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
 	// NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092

internal/seccomp/seccomp.go

@@ -0,0 +1,22 @@
+// +build linux,cgo,seccomp
+
+package seccomp
+
+import (
+	"github.com/containers/common/pkg/seccomp"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+)
+
+// Setup takes the provided spec and loads the built seccomp filter into the
+// kernel.
+func Setup(spec *specs.LinuxSeccomp) error {
+	filter, err := seccomp.BuildFilter(spec)
+	if err != nil {
+		return errors.Wrap(err, "build filter")
+	}
+	if err := filter.Load(); err != nil {
+		return errors.Wrap(err, "load filter")
+	}
+	return nil
+}

internal/seccomp/seccomp_unsupported.go

@@ -0,0 +1,19 @@
+// +build !linux !cgo !seccomp
+
+package seccomp
+
+import (
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+)
+
+// ErrSeccompNotEnabled will be returned if seccomp is build-time disabled in runc
+var ErrSeccompNotEnabled = errors.New("config provided but seccomp not supported")
+
+// Setup does nothing because seccomp is not supported.
+func Setup(spec *specs.LinuxSeccomp) error {
+	if spec != nil {
+		return ErrSeccompNotEnabled
+	}
+	return nil
+}

libcontainer/configs/config.go

@@ -25,57 +25,6 @@ type IDMap struct {
 	Size        int `json:"size"`
 }
 
-// Seccomp represents syscall restrictions
-// By default, only the native architecture of the kernel is allowed to be used
-// for syscalls. Additional architectures can be added by specifying them in
-// Architectures.
-type Seccomp struct {
-	DefaultAction Action     `json:"default_action"`
-	Architectures []string   `json:"architectures"`
-	Syscalls      []*Syscall `json:"syscalls"`
-}
-
-// Action is taken upon rule match in Seccomp
-type Action int
-
-const (
-	Kill Action = iota + 1
-	Errno
-	Trap
-	Allow
-	Trace
-	Log
-)
-
-// Operator is a comparison operator to be used when matching syscall arguments in Seccomp
-type Operator int
-
-const (
-	EqualTo Operator = iota + 1
-	NotEqualTo
-	GreaterThan
-	GreaterThanOrEqualTo
-	LessThan
-	LessThanOrEqualTo
-	MaskEqualTo
-)
-
-// Arg is a rule to match a specific syscall argument in Seccomp
-type Arg struct {
-	Index    uint     `json:"index"`
-	Value    uint64   `json:"value"`
-	ValueTwo uint64   `json:"value_two"`
-	Op       Operator `json:"op"`
-}
-
-// Syscall is a rule to match a syscall in Seccomp
-type Syscall struct {
-	Name     string `json:"name"`
-	Action   Action `json:"action"`
-	ErrnoRet *uint  `json:"errnoRet"`
-	Args     []*Arg `json:"args"`
-}
-
 // TODO Windows. Many of these fields should be factored out into those parts
 // which are common across platforms, and those which are platform specific.
 
@@ -172,7 +121,7 @@ type Config struct {
 	// Seccomp allows actions to be taken whenever a syscall is made within the container.
 	// A number of rules are given, each having an action to be taken if a syscall matches it.
 	// A default action to be taken if no rules match is also given.
-	Seccomp *Seccomp `json:"seccomp"`
+	Seccomp *specs.LinuxSeccomp `json:"seccomp"`
 
 	// NoNewPrivileges controls whether processes in the container can gain additional privileges.
 	NoNewPrivileges bool `json:"no_new_privileges,omitempty"`

libcontainer/integration/seccomp_test.go

@@ -8,7 +8,7 @@ import (
 	"testing"
 
 	"github.com/opencontainers/runc/libcontainer"
-	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	libseccomp "github.com/seccomp/libseccomp-golang"
 )
 
@@ -26,12 +26,12 @@ func TestSeccompDenyGetcwdWithErrno(t *testing.T) {
 	errnoRet := uint(syscall.ESRCH)
 
 	config := newTemplateConfig(rootfs)
-	config.Seccomp = &configs.Seccomp{
-		DefaultAction: configs.Allow,
-		Syscalls: []*configs.Syscall{
+	config.Seccomp = &specs.LinuxSeccomp{
+		DefaultAction: specs.ActAllow,
+		Syscalls: []specs.LinuxSyscall{
 			{
-				Name:     "getcwd",
-				Action:   configs.Errno,
+				Names:    []string{"getcwd"},
+				Action:   specs.ActErrno,
 				ErrnoRet: &errnoRet,
 			},
 		},
@@ -96,12 +96,12 @@ func TestSeccompDenyGetcwd(t *testing.T) {
 	defer remove(rootfs)
 
 	config := newTemplateConfig(rootfs)
-	config.Seccomp = &configs.Seccomp{
-		DefaultAction: configs.Allow,
-		Syscalls: []*configs.Syscall{
+	config.Seccomp = &specs.LinuxSeccomp{
+		DefaultAction: specs.ActAllow,
+		Syscalls: []specs.LinuxSyscall{
 			{
-				Name:   "getcwd",
-				Action: configs.Errno,
+				Names:  []string{"getcwd"},
+				Action: specs.ActErrno,
 			},
 		},
 	}
@@ -165,17 +165,17 @@ func TestSeccompPermitWriteConditional(t *testing.T) {
 	defer remove(rootfs)
 
 	config := newTemplateConfig(rootfs)
-	config.Seccomp = &configs.Seccomp{
-		DefaultAction: configs.Allow,
-		Syscalls: []*configs.Syscall{
+	config.Seccomp = &specs.LinuxSeccomp{
+		DefaultAction: specs.ActAllow,
+		Syscalls: []specs.LinuxSyscall{
 			{
-				Name:   "write",
-				Action: configs.Errno,
-				Args: []*configs.Arg{
+				Names:  []string{"write"},
+				Action: specs.ActErrno,
+				Args: []specs.LinuxSeccompArg{
 					{
 						Index: 0,
 						Value: 2,
-						Op:    configs.EqualTo,
+						Op:    specs.OpEqualTo,
 					},
 				},
 			},
@@ -227,17 +227,17 @@ func TestSeccompDenyWriteConditional(t *testing.T) {
 	defer remove(rootfs)
 
 	config := newTemplateConfig(rootfs)
-	config.Seccomp = &configs.Seccomp{
-		DefaultAction: configs.Allow,
-		Syscalls: []*configs.Syscall{
+	config.Seccomp = &specs.LinuxSeccomp{
+		DefaultAction: specs.ActAllow,
+		Syscalls: []specs.LinuxSyscall{
 			{
-				Name:   "write",
-				Action: configs.Errno,
-				Args: []*configs.Arg{
+				Names:  []string{"write"},
+				Action: specs.ActErrno,
+				Args: []specs.LinuxSeccompArg{
 					{
 						Index: 0,
 						Value: 2,
-						Op:    configs.EqualTo,
+						Op:    specs.OpEqualTo,
 					},
 				},
 			},
@@ -305,22 +305,22 @@ func TestSeccompPermitWriteMultipleConditions(t *testing.T) {
 	defer remove(rootfs)
 
 	config := newTemplateConfig(rootfs)
-	config.Seccomp = &configs.Seccomp{
-		DefaultAction: configs.Allow,
-		Syscalls: []*configs.Syscall{
+	config.Seccomp = &specs.LinuxSeccomp{
+		DefaultAction: specs.ActAllow,
+		Syscalls: []specs.LinuxSyscall{
 			{
-				Name:   "write",
-				Action: configs.Errno,
-				Args: []*configs.Arg{
+				Names:  []string{"write"},
+				Action: specs.ActErrno,
+				Args: []specs.LinuxSeccompArg{
 					{
 						Index: 0,
 						Value: 2,
-						Op:    configs.EqualTo,
+						Op:    specs.OpEqualTo,
 					},
 					{
 						Index: 2,
 						Value: 0,
-						Op:    configs.NotEqualTo,
+						Op:    specs.OpNotEqual,
 					},
 				},
 			},
@@ -360,22 +360,22 @@ func TestSeccompDenyWriteMultipleConditions(t *testing.T) {
 	defer remove(rootfs)
 
 	config := newTemplateConfig(rootfs)
-	config.Seccomp = &configs.Seccomp{
-		DefaultAction: configs.Allow,
-		Syscalls: []*configs.Syscall{
+	config.Seccomp = &specs.LinuxSeccomp{
+		DefaultAction: specs.ActAllow,
+		Syscalls: []specs.LinuxSyscall{
 			{
-				Name:   "write",
-				Action: configs.Errno,
-				Args: []*configs.Arg{
+				Names:  []string{"write"},
+				Action: specs.ActErrno,
+				Args: []specs.LinuxSeccompArg{
 					{
 						Index: 0,
 						Value: 2,
-						Op:    configs.EqualTo,
+						Op:    specs.OpEqualTo,
 					},
 					{
 						Index: 2,
 						Value: 0,
-						Op:    configs.NotEqualTo,
+						Op:    specs.OpNotEqual,
 					},
 				},
 			},
@@ -410,22 +410,22 @@ func TestSeccompMultipleConditionSameArgDeniesStdout(t *testing.T) {
 
 	// Prevent writing to both stdout and stderr
 	config := newTemplateConfig(rootfs)
-	config.Seccomp = &configs.Seccomp{
-		DefaultAction: configs.Allow,
-		Syscalls: []*configs.Syscall{
+	config.Seccomp = &specs.LinuxSeccomp{
+		DefaultAction: specs.ActAllow,
+		Syscalls: []specs.LinuxSyscall{
 			{
-				Name:   "write",
-				Action: configs.Errno,
-				Args: []*configs.Arg{
+				Names:  []string{"write"},
+				Action: specs.ActErrno,
+				Args: []specs.LinuxSeccompArg{
 					{
 						Index: 0,
 						Value: 1,
-						Op:    configs.EqualTo,
+						Op:    specs.OpEqualTo,
 					},
 					{
 						Index: 0,
 						Value: 2,
-						Op:    configs.EqualTo,
+						Op:    specs.OpEqualTo,
 					},
 				},
 			},
@@ -458,22 +458,22 @@ func TestSeccompMultipleConditionSameArgDeniesStderr(t *testing.T) {
 
 	// Prevent writing to both stdout and stderr
 	config := newTemplateConfig(rootfs)
-	config.Seccomp = &configs.Seccomp{
-		DefaultAction: configs.Allow,
-		Syscalls: []*configs.Syscall{
+	config.Seccomp = &specs.LinuxSeccomp{
+		DefaultAction: specs.ActAllow,
+		Syscalls: []specs.LinuxSyscall{
 			{
-				Name:   "write",
-				Action: configs.Errno,
-				Args: []*configs.Arg{
+				Names:  []string{"write"},
+				Action: specs.ActErrno,
+				Args: []specs.LinuxSeccompArg{
 					{
 						Index: 0,
 						Value: 1,
-						Op:    configs.EqualTo,
+						Op:    specs.OpEqualTo,
 					},
 					{
 						Index: 0,
 						Value: 2,
-						Op:    configs.EqualTo,
+						Op:    specs.OpEqualTo,
 					},
 				},
 			},