Commits on Mar 9, 2021

1. Add Seccomp Notify support …

   This adds the specification for Seccomp Userspace Notification and the
   Golang bindings. This contains:
   - New fields in the seccomp section to use with seccomp userspace
     notification.
   - Additional SeccompState struct containing the container state and file
     descriptors passed for seccomp.
   
   This was discussed in the OCI Weekly Discussion on September 16th,
   2020. After review on github, this implementation was changed to the
   "Proposal with listenerPath and listenerExtraMetadata". For more
   information see:
   - opencontainers#1073 (comment)
   
   Docs presented on the community meeting (for the old implementation
   using hooks):
   - https://hackmd.io/El8Dd2xrTlCaCG59ns5cwg#September-16-2020
   - https://docs.google.com/document/d/1xHw5GQjMj6ZKR-40aKmTWZRkvlPuzMGQRu-YpOFQc30/edit
   
   Documentation for this feature:
   - https://www.kernel.org/doc/html/v5.0/userspace-api/seccomp_filter.html#userspace-notification
   - man pages: seccomp_user_notif.2 at
     https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/log/?h=seccomp_user_notif
   - brauner's blog:
     https://brauner.github.io/2020/07/23/seccomp-notify.html
   
   This PR is an alternative proposal to PR 1038. While similar in nature,
   the main difference is that this PR adds optional metadata to be sent to
   the seccomp agent and specifies how the UNIX socket MUST be used.
   
   Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
   Signed-off-by: Alban Crequy <alban@kinvolk.io>
   Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>

   

   rata committed Mar 9, 2021
   Configuration menu

   • View commit details
   • Copy full SHA for 58798e7
   • Browse repository at this point

   Copy the full SHA

   58798e7 View commit details

   Browse the repository at this point in the history