From 7c549cb0939af03d5a2a8b271e2ad6871309e228 Mon Sep 17 00:00:00 2001
From: Rodrigo Campos <rodrigo@kinvolk.io>
Date: Thu, 18 Mar 2021 15:43:54 +0100
Subject: [PATCH 1/2] seccomp: Add missing const for seccomp notify action

This wasn't catched before, even though we had working patches for
containerd and runc in advance, as neither containerd nor runc really
use these consts.

In the spec this field is a string[1] and therefore when containerd
parses with json.Unmarshall[2] it works just fine. With runc is not used
either, as it uses a different struct in the libcontainer directory[3].

Therefore, even with patches using this change, this const definition
was missed as it is not used by the patches.

[1]: https://github.com/opencontainers/runtime-spec/blob/a8c4a9ee0f6b5a0b994c5c23c68725394e2b0d9d/specs-go/config.go#L641
[2]: https://github.com/containerd/containerd/blob/8dbe53a2a930af3631229e4d92cf839b64ee5a38/contrib/seccomp/seccomp.go#L36-L40
[3]: https://github.com/opencontainers/runc/pull/2682/files#diff-9915e69bab45a993d366aad4a7d47459d73ec4304b7c33942f197dd221673376R51
[4]: https://github.com/opencontainers/runtime-spec/blob/a8c4a9ee0f6b5a0b994c5c23c68725394e2b0d9d/specs-go/config.go#L614

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
---
 specs-go/config.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/specs-go/config.go b/specs-go/config.go
index df1f43214..6a7a91e55 100644
--- a/specs-go/config.go
+++ b/specs-go/config.go
@@ -650,6 +650,7 @@ const (
 	ActTrace       LinuxSeccompAction = "SCMP_ACT_TRACE"
 	ActAllow       LinuxSeccompAction = "SCMP_ACT_ALLOW"
 	ActLog         LinuxSeccompAction = "SCMP_ACT_LOG"
+	ActNotify      LinuxSeccompAction = "SCMP_ACT_NOTIFY"
 )
 
 // LinuxSeccompOperator used to match syscall arguments in Seccomp

From 0f84938403622ae5154b138ddbcccc3558ba0ac0 Mon Sep 17 00:00:00 2001
From: Rodrigo Campos <rodrigo@kinvolk.io>
Date: Thu, 18 Mar 2021 17:29:02 +0100
Subject: [PATCH 2/2] schema/defs-linux: Fix inconsistencies with seccomp
 notify

Commit "Add Seccomp Notify support"
(58798e75e9803d99bff5837ff39e9afe2e2efec8) just added
SECCOMP_FILTER_FLAG_NEW_LISTENER to the schema and not to the list of
flags in config-linux.md. However, it was a mistake to add them to the
schema, as the user will never really need to specify that flag.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
---
 schema/defs-linux.json | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/schema/defs-linux.json b/schema/defs-linux.json
index a99bd7488..5727802ab 100644
--- a/schema/defs-linux.json
+++ b/schema/defs-linux.json
@@ -70,8 +70,7 @@
             "enum": [
                 "SECCOMP_FILTER_FLAG_TSYNC",
                 "SECCOMP_FILTER_FLAG_LOG",
-                "SECCOMP_FILTER_FLAG_SPEC_ALLOW",
-                "SECCOMP_FILTER_FLAG_NEW_LISTENER"
+                "SECCOMP_FILTER_FLAG_SPEC_ALLOW"
             ]
         },
         "SeccompOperators": {