Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

seccomp: support notify listener #627

Merged
merged 15 commits into from
Mar 23, 2021
Merged

seccomp: support notify listener #627

merged 15 commits into from
Mar 23, 2021

Conversation

giuseppe
Copy link
Member

The OCI runtime specs[1] recently gained the support for seccomp
notifications.

[1] opencontainers/runtime-spec#1074

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

@giuseppe
Copy link
Member Author

@mauriciovasquezbernal PTAL

@giuseppe giuseppe force-pushed the seccomp-notifications-oci branch 3 times, most recently from b649c17 to 1187828 Compare March 17, 2021 13:10
@giuseppe giuseppe marked this pull request as ready for review March 17, 2021 13:16
@giuseppe giuseppe force-pushed the seccomp-notifications-oci branch 4 times, most recently from 1ecc6ba to 09ddd93 Compare March 23, 2021 11:56
@giuseppe
Copy link
Member Author

rebased

rhatdan
rhatdan approved these changes Mar 23, 2021
View reviewed changes
contrib/seccomp-receiver/seccomp-receiver.c Outdated
/*
* crun - OCI runtime written in C
*
* Copyright (C) 2018, 2019 Giuseppe Scrivano <giuseppe@scrivano.org>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to be updated/changed?

rhatdan
rhatdan reviewed Mar 23, 2021
View reviewed changes
src/libcrun/container.c

yajl_gen_string (gen, YAJL_STR ("pid"), strlen ("pid"));
yajl_gen_integer (gen, pid);
r = yajl_gen_string (gen, YAJL_STR ("1.0"), strlen ("1.0"));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should you hard code the version here?

rhatdan
rhatdan reviewed Mar 23, 2021
View reviewed changes
src/libcrun/container.c Outdated
if (UNLIKELY (r != yajl_gen_status_ok))
goto exit;

r = yajl_gen_string (gen, YAJL_STR ("0.2.0"), strlen ("0.2.0"));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Majic number, should this be a const?

rhatdan
rhatdan reviewed Mar 23, 2021
View reviewed changes
src/libcrun/container.c Outdated
if (UNLIKELY (r != yajl_gen_status_ok))
goto exit;

r = yajl_gen_string (gen, YAJL_STR ("0.2.0"), strlen ("0.2.0"));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Magic number?

rhatdan
rhatdan reviewed Mar 23, 2021
View reviewed changes
tests/init.c Outdated
@@ -310,7 +310,7 @@ int main (int argc, char **argv)

if (strcmp (argv[1], "check-feature") == 0)
{
if (argc < 2)
if (argc <= 2)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be just 3, would be easier to understand.

@giuseppe giuseppe force-pushed the seccomp-notifications-oci branch 2 times, most recently from c978989 to 1cac654 Compare March 23, 2021 17:32
@giuseppe
crun: always use absolute path for the bundle
8722858 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
contrib: new tool to test seccomp notifications
8fd3320 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
linux: pass own pid to container process
6e19235 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
error: new function to convert from yajl errors
14083ab 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
container: use new error function for hooks JSON
873b62d 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
status: use function to convert from yajl errors
c3361c1 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
seccomp: support notify listener
5a627f4 
The OCI runtime specs[1] recently gained the support for seccomp
notifications.

[1] opencontainers/runtime-spec#1074

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
init: fix check for nargs
5d9010b 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
init: add check for seccomp listener
f80e98d 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
tests: add test for seccomp listener
7812572 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
seccomp: always NUL terminate lowercase_arch
5e4efb7 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
src: initialize first_arg
2e88d19 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
src: initialize statx struct
00371ae 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
container: initialize tmp_err
d9c9fd0 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
cgroup: skip parsing empty file
9aa382b 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
Copy link
Member Author

addressed the comments and pushed a new version

@rhatdan
Copy link
Member

rhatdan commented Mar 23, 2021

LGTM

@rhatdan rhatdan merged commit a1c0ef1 into containers:master Mar 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhatdan rhatdan rhatdan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@giuseppe @rhatdan