Merge pull request kata-containers#689 from nitkon/seccomp

virtcontainers: Pass seccomp profile inside VM

Makefile

@@ -147,6 +147,9 @@ DEFMEMSLOTS := 10
 DEFBRIDGES := 1
 #Default network model
 DEFNETWORKMODEL := macvtap
+
+DEFDISABLEGUESTSECCOMP := true
+
 #Default entropy source
 DEFENTROPYSOURCE := /dev/urandom
 
@@ -229,6 +232,7 @@ USER_VARS += DEFMEMSZ
 USER_VARS += DEFMEMSLOTS
 USER_VARS += DEFBRIDGES
 USER_VARS += DEFNETWORKMODEL
+USER_VARS += DEFDISABLEGUESTSECCOMP
 USER_VARS += DEFDISABLEBLOCK
 USER_VARS += DEFBLOCKSTORAGEDRIVER
 USER_VARS += DEFENABLEIOTHREADS
@@ -398,6 +402,7 @@ $(GENERATED_FILES): %: %.in Makefile VERSION
 		-e "s|@DEFMEMSLOTS@|$(DEFMEMSLOTS)|g" \
 		-e "s|@DEFBRIDGES@|$(DEFBRIDGES)|g" \
 		-e "s|@DEFNETWORKMODEL@|$(DEFNETWORKMODEL)|g" \
+		-e "s|@DEFDISABLEGUESTSECCOMP@|$(DEFDISABLEGUESTSECCOMP)|g" \
 		-e "s|@DEFDISABLEBLOCK@|$(DEFDISABLEBLOCK)|g" \
 		-e "s|@DEFBLOCKSTORAGEDRIVER@|$(DEFBLOCKSTORAGEDRIVER)|g" \
 		-e "s|@DEFENABLEIOTHREADS@|$(DEFENABLEIOTHREADS)|g" \

cli/config/configuration.toml.in

@@ -291,6 +291,13 @@ path = "@NETMONPATH@"
 #
 internetworking_model="@DEFNETWORKMODEL@"
 
+# disable guest seccomp
+# Determines whether container seccomp profiles are passed to the virtual
+# machine and applied by the kata agent. If set to true, seccomp is not applied
+# within the guest
+# (default: true)
+disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
+
 # If enabled, the runtime will create opentracing.io traces and spans.
 # (See https://www.jaegertracing.io/docs/getting-started).
 # (default: disabled)

cli/kata-env.go

@@ -63,12 +63,13 @@ type RuntimeConfigInfo struct {
 
 // RuntimeInfo stores runtime details.
 type RuntimeInfo struct {
-	Version         RuntimeVersionInfo
-	Config          RuntimeConfigInfo
-	Debug           bool
-	Trace           bool
-	DisableNewNetNs bool
-	Path            string
+	Version             RuntimeVersionInfo
+	Config              RuntimeConfigInfo
+	Debug               bool
+	Trace               bool
+	DisableGuestSeccomp bool
+	DisableNewNetNs     bool
+	Path                string
 }
 
 // RuntimeVersionInfo stores details of the runtime version
@@ -174,12 +175,13 @@ func getRuntimeInfo(configFile string, config oci.RuntimeConfig) RuntimeInfo {
 	runtimePath, _ := os.Executable()
 
 	return RuntimeInfo{
-		Debug:           config.Debug,
-		Trace:           config.Trace,
-		Version:         runtimeVersion,
-		Config:          runtimeConfig,
-		Path:            runtimePath,
-		DisableNewNetNs: config.DisableNewNetNs,
+		Debug:               config.Debug,
+		Trace:               config.Trace,
+		Version:             runtimeVersion,
+		Config:              runtimeConfig,
+		Path:                runtimePath,
+		DisableNewNetNs:     config.DisableNewNetNs,
+		DisableGuestSeccomp: config.DisableGuestSeccomp,
 	}
 }
 

pkg/katautils/config.go

@@ -120,10 +120,11 @@ type proxy struct {
 }
 
 type runtime struct {
-	Debug             bool   `toml:"enable_debug"`
-	Tracing           bool   `toml:"enable_tracing"`
-	DisableNewNetNs   bool   `toml:"disable_new_netns"`
-	InterNetworkModel string `toml:"internetworking_model"`
+	Debug               bool   `toml:"enable_debug"`
+	Tracing             bool   `toml:"enable_tracing"`
+	DisableNewNetNs     bool   `toml:"disable_new_netns"`
+	DisableGuestSeccomp bool   `toml:"disable_guest_seccomp"`
+	InterNetworkModel   string `toml:"internetworking_model"`
 }
 
 type shim struct {
@@ -795,6 +796,8 @@ func LoadConfiguration(configPath string, ignoreLogging, builtIn bool) (resolved
 		return "", config, err
 	}
 
+	config.DisableGuestSeccomp = tomlConf.Runtime.DisableGuestSeccomp
+
 	// use no proxy if HypervisorConfig.UseVSock is true
 	if config.HypervisorConfig.UseVSock {
 		kataUtilsLogger.Info("VSOCK supported, configure to not use proxy")

virtcontainers/kata_agent.go

@@ -773,16 +773,17 @@ func (k *kataAgent) replaceOCIMountsForStorages(spec *specs.Spec, volumeStorages
 	return nil
 }
 
-func constraintGRPCSpec(grpcSpec *grpc.Spec, systemdCgroup bool) {
+func constraintGRPCSpec(grpcSpec *grpc.Spec, systemdCgroup bool, passSeccomp bool) {
 	// Disable Hooks since they have been handled on the host and there is
 	// no reason to send them to the agent. It would make no sense to try
 	// to apply them on the guest.
 	grpcSpec.Hooks = nil
 
-	// Disable Seccomp since they cannot be handled properly by the agent
-	// until we provide a guest image with libseccomp support. More details
-	// here: https://github.com/kata-containers/agent/issues/104
-	grpcSpec.Linux.Seccomp = nil
+	// Pass seccomp only if disable_guest_seccomp is set to false in
+	// configuration.toml and guest image is seccomp capable.
+	if passSeccomp == false {
+		grpcSpec.Linux.Seccomp = nil
+	}
 
 	// By now only CPU constraints are supported
 	// Issue: https://github.com/kata-containers/runtime/issues/158
@@ -1055,9 +1056,11 @@ func (k *kataAgent) createContainer(sandbox *Sandbox, c *Container) (p *Process,
 		return nil, err
 	}
 
+	passSeccomp := !sandbox.config.DisableGuestSeccomp && sandbox.seccompSupported
+
 	// We need to constraint the spec to make sure we're not passing
 	// irrelevant information to the agent.
-	constraintGRPCSpec(grpcSpec, sandbox.config.SystemdCgroup)
+	constraintGRPCSpec(grpcSpec, sandbox.config.SystemdCgroup, passSeccomp)
 
 	k.handleShm(grpcSpec, sandbox)
 

virtcontainers/kata_agent_test.go

@@ -471,11 +471,11 @@ func TestConstraintGRPCSpec(t *testing.T) {
 		},
 	}
 
-	constraintGRPCSpec(g, true)
+	constraintGRPCSpec(g, true, true)
 
 	// check nil fields
 	assert.Nil(g.Hooks)
-	assert.Nil(g.Linux.Seccomp)
+	assert.NotNil(g.Linux.Seccomp)
 	assert.Nil(g.Linux.Resources.Devices)
 	assert.NotNil(g.Linux.Resources.Memory)
 	assert.Nil(g.Linux.Resources.Pids)

virtcontainers/pkg/oci/utils.go

@@ -122,6 +122,9 @@ type RuntimeConfig struct {
 	Debug             bool
 	Trace             bool
 
+	//Determines if seccomp should be applied inside guest
+	DisableGuestSeccomp bool
+
 	//Determines if create a netns for hypervisor process
 	DisableNewNetNs bool
 }
@@ -489,6 +492,8 @@ func SandboxConfig(ocispec CompatOCISpec, runtime RuntimeConfig, bundlePath, cid
 		ShmSize: shmSize,
 
 		SystemdCgroup: systemdCgroup,
+
+		DisableGuestSeccomp: runtime.DisableGuestSeccomp,
 	}
 
 	addAssetAnnotations(ocispec, &sandboxConfig)

virtcontainers/sandbox.go

@@ -361,6 +361,8 @@ type SandboxConfig struct {
 
 	// SystemdCgroup enables systemd cgroup support
 	SystemdCgroup bool
+
+	DisableGuestSeccomp bool
 }
 
 func (s *Sandbox) trace(name string) (opentracing.Span, context.Context) {
@@ -490,9 +492,10 @@ type Sandbox struct {
 
 	wg *sync.WaitGroup
 
-	shmSize    uint64
-	sharePidNs bool
-	stateful   bool
+	shmSize          uint64
+	sharePidNs       bool
+	stateful         bool
+	seccompSupported bool
 
 	ctx context.Context
 
@@ -734,6 +737,10 @@ func (s *Sandbox) getAndStoreGuestDetails() error {
 
 	if guestDetailRes != nil {
 		s.state.GuestMemoryBlockSizeMB = uint32(guestDetailRes.MemBlockSizeBytes >> 20)
+		if guestDetailRes.AgentDetails != nil {
+			s.seccompSupported = guestDetailRes.AgentDetails.SupportsSeccomp
+		}
+
 		if err = s.storage.storeSandboxResource(s.id, stateFileType, s.state); err != nil {
 			return err
 		}