Skip to content
This repository was archived by the owner on Mar 6, 2026. It is now read-only.

[TEST] SeccompProfile CRD: add new fields for seccomp notify#1

Open
alban wants to merge 1 commit intomainfrom
alban_notify
Open

[TEST] SeccompProfile CRD: add new fields for seccomp notify#1
alban wants to merge 1 commit intomainfrom
alban_notify

Conversation

@alban
Copy link
Member

@alban alban commented Feb 2, 2022
edited
Loading

Seccomp notify is a new feature in container runtimes introduced by

This patch adds:

  • The new seccomp action SCMP_ACT_NOTIFY to defer the decision to a
    seccomp agent
  • The ListenerPath and ListenerMetadata fields so the runtime can
    contact the seccomp agent.

Note that the flag SECCOMP_FILTER_FLAG_NEW_LISTENER is not added. See
https://github.com/opencontainers/runtime-spec PR 1096 for details.

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Does this PR have test?

Special notes for your reviewer:

Does this PR introduce a user-facing change?

rata
rata approved these changes Feb 2, 2022
View reviewed changes
Copy link

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alban awesome, thanks for doing this!

LGTM. Just a simple comment of a flag that must not be added (it is confusing, and there are already mistakes done in the OCI seccomp flags).

But that should be trivial, from my POV feel free to fix that and just open the PR upstream

api/seccompprofile/v1beta1/seccompprofile_types.go Outdated
type Arch string

// +kubebuilder:validation:Enum=SECCOMP_FILTER_FLAG_TSYNC;SECCOMP_FILTER_FLAG_LOG;SECCOMP_FILTER_FLAG_SPEC_ALLOW
// +kubebuilder:validation:Enum=SECCOMP_FILTER_FLAG_TSYNC;SECCOMP_FILTER_FLAG_LOG;SECCOMP_FILTER_FLAG_SPEC_ALLOW;SECCOMP_FILTER_FLAG_NEW_LISTENER
Copy link

@rata rata Feb 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shouldn't be added. See this PR: opencontainers/runtime-spec#1096

deploy/base/crds/seccompprofile.yaml Outdated
- SECCOMP_FILTER_FLAG_TSYNC
- SECCOMP_FILTER_FLAG_LOG
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
- SECCOMP_FILTER_FLAG_NEW_LISTENER
Copy link

@rata rata Feb 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idem, please remove

deploy/namespace-operator.yaml Outdated
- SECCOMP_FILTER_FLAG_TSYNC
- SECCOMP_FILTER_FLAG_LOG
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
- SECCOMP_FILTER_FLAG_NEW_LISTENER
Copy link

@rata rata Feb 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idem, remove

deploy/openshift-dev.yaml Outdated
- SECCOMP_FILTER_FLAG_TSYNC
- SECCOMP_FILTER_FLAG_LOG
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
- SECCOMP_FILTER_FLAG_NEW_LISTENER
Copy link

@rata rata Feb 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idem

deploy/openshift.yaml Outdated
- SECCOMP_FILTER_FLAG_TSYNC
- SECCOMP_FILTER_FLAG_LOG
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
- SECCOMP_FILTER_FLAG_NEW_LISTENER
Copy link

@rata rata Feb 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idem

deploy/operator.yaml Outdated
- SECCOMP_FILTER_FLAG_TSYNC
- SECCOMP_FILTER_FLAG_LOG
- SECCOMP_FILTER_FLAG_SPEC_ALLOW
- SECCOMP_FILTER_FLAG_NEW_LISTENER
Copy link

@rata rata Feb 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idem

@alban alban force-pushed the alban_notify branch 2 times, most recently from b27da39 to 294bb86 Compare February 2, 2022 16:33
@alban
SeccompProfile CRD: add new fields for seccomp notify
c7c99b8 
Seccomp notify is a new feature in container runtimes introduced by
- https://github.com/opencontainers/runtime-spec PR 1074
- https://github.com/opencontainers/runc PR 2682 (available in runc 1.1.0)

This patch adds:
- The new seccomp action SCMP_ACT_NOTIFY to defer the decision to a
  seccomp agent
- The ListenerPath and ListenerMetadata fields so the runtime can
  contact the seccomp agent.

Note that the flag SECCOMP_FILTER_FLAG_NEW_LISTENER is not added. See
https://github.com/opencontainers/runtime-spec PR 1096 for details.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@rata rata rata approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alban @rata