diff --git a/Makefile b/Makefile index 32a46b97b3..999b6a2f7c 100644 --- a/Makefile +++ b/Makefile @@ -147,6 +147,9 @@ DEFMEMSLOTS := 10 DEFBRIDGES := 1 #Default network model DEFNETWORKMODEL := macvtap + +DEFDISABLEGUESTSECCOMP := true + #Default entropy source DEFENTROPYSOURCE := /dev/urandom @@ -229,6 +232,7 @@ USER_VARS += DEFMEMSZ USER_VARS += DEFMEMSLOTS USER_VARS += DEFBRIDGES USER_VARS += DEFNETWORKMODEL +USER_VARS += DEFDISABLEGUESTSECCOMP USER_VARS += DEFDISABLEBLOCK USER_VARS += DEFBLOCKSTORAGEDRIVER USER_VARS += DEFENABLEIOTHREADS @@ -398,6 +402,7 @@ $(GENERATED_FILES): %: %.in Makefile VERSION -e "s|@DEFMEMSLOTS@|$(DEFMEMSLOTS)|g" \ -e "s|@DEFBRIDGES@|$(DEFBRIDGES)|g" \ -e "s|@DEFNETWORKMODEL@|$(DEFNETWORKMODEL)|g" \ + -e "s|@DEFDISABLEGUESTSECCOMP@|$(DEFDISABLEGUESTSECCOMP)|g" \ -e "s|@DEFDISABLEBLOCK@|$(DEFDISABLEBLOCK)|g" \ -e "s|@DEFBLOCKSTORAGEDRIVER@|$(DEFBLOCKSTORAGEDRIVER)|g" \ -e "s|@DEFENABLEIOTHREADS@|$(DEFENABLEIOTHREADS)|g" \ diff --git a/cli/config/configuration.toml.in b/cli/config/configuration.toml.in index e9062928ce..5ecedad3d6 100644 --- a/cli/config/configuration.toml.in +++ b/cli/config/configuration.toml.in @@ -291,6 +291,13 @@ path = "@NETMONPATH@" # internetworking_model="@DEFNETWORKMODEL@" +# disable guest seccomp +# Determines whether container seccomp profiles are passed to the virtual +# machine and applied by the kata agent. If set to true, seccomp is not applied +# within the guest +# (default: true) +disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ + # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/cli/kata-env.go b/cli/kata-env.go index 8db1b8ae4f..8bf2d05760 100644 --- a/cli/kata-env.go +++ b/cli/kata-env.go @@ -63,12 +63,13 @@ type RuntimeConfigInfo struct { // RuntimeInfo stores runtime details. type RuntimeInfo struct { - Version RuntimeVersionInfo - Config RuntimeConfigInfo - Debug bool - Trace bool - DisableNewNetNs bool - Path string + Version RuntimeVersionInfo + Config RuntimeConfigInfo + Debug bool + Trace bool + DisableGuestSeccomp bool + DisableNewNetNs bool + Path string } // RuntimeVersionInfo stores details of the runtime version @@ -174,12 +175,13 @@ func getRuntimeInfo(configFile string, config oci.RuntimeConfig) RuntimeInfo { runtimePath, _ := os.Executable() return RuntimeInfo{ - Debug: config.Debug, - Trace: config.Trace, - Version: runtimeVersion, - Config: runtimeConfig, - Path: runtimePath, - DisableNewNetNs: config.DisableNewNetNs, + Debug: config.Debug, + Trace: config.Trace, + Version: runtimeVersion, + Config: runtimeConfig, + Path: runtimePath, + DisableNewNetNs: config.DisableNewNetNs, + DisableGuestSeccomp: config.DisableGuestSeccomp, } } diff --git a/pkg/katautils/config.go b/pkg/katautils/config.go index 00912bdf09..d3eca19bd3 100644 --- a/pkg/katautils/config.go +++ b/pkg/katautils/config.go @@ -120,10 +120,11 @@ type proxy struct { } type runtime struct { - Debug bool `toml:"enable_debug"` - Tracing bool `toml:"enable_tracing"` - DisableNewNetNs bool `toml:"disable_new_netns"` - InterNetworkModel string `toml:"internetworking_model"` + Debug bool `toml:"enable_debug"` + Tracing bool `toml:"enable_tracing"` + DisableNewNetNs bool `toml:"disable_new_netns"` + DisableGuestSeccomp bool `toml:"disable_guest_seccomp"` + InterNetworkModel string `toml:"internetworking_model"` } type shim struct { @@ -795,6 +796,8 @@ func LoadConfiguration(configPath string, ignoreLogging, builtIn bool) (resolved return "", config, err } + config.DisableGuestSeccomp = tomlConf.Runtime.DisableGuestSeccomp + // use no proxy if HypervisorConfig.UseVSock is true if config.HypervisorConfig.UseVSock { kataUtilsLogger.Info("VSOCK supported, configure to not use proxy") diff --git a/virtcontainers/kata_agent.go b/virtcontainers/kata_agent.go index 95c0a4b453..3daa9402a5 100644 --- a/virtcontainers/kata_agent.go +++ b/virtcontainers/kata_agent.go @@ -773,16 +773,17 @@ func (k *kataAgent) replaceOCIMountsForStorages(spec *specs.Spec, volumeStorages return nil } -func constraintGRPCSpec(grpcSpec *grpc.Spec, systemdCgroup bool) { +func constraintGRPCSpec(grpcSpec *grpc.Spec, systemdCgroup bool, passSeccomp bool) { // Disable Hooks since they have been handled on the host and there is // no reason to send them to the agent. It would make no sense to try // to apply them on the guest. grpcSpec.Hooks = nil - // Disable Seccomp since they cannot be handled properly by the agent - // until we provide a guest image with libseccomp support. More details - // here: https://github.com/kata-containers/agent/issues/104 - grpcSpec.Linux.Seccomp = nil + // Pass seccomp only if disable_guest_seccomp is set to false in + // configuration.toml and guest image is seccomp capable. + if passSeccomp == false { + grpcSpec.Linux.Seccomp = nil + } // By now only CPU constraints are supported // Issue: https://github.com/kata-containers/runtime/issues/158 @@ -1055,9 +1056,11 @@ func (k *kataAgent) createContainer(sandbox *Sandbox, c *Container) (p *Process, return nil, err } + passSeccomp := !sandbox.config.DisableGuestSeccomp && sandbox.seccompSupported + // We need to constraint the spec to make sure we're not passing // irrelevant information to the agent. - constraintGRPCSpec(grpcSpec, sandbox.config.SystemdCgroup) + constraintGRPCSpec(grpcSpec, sandbox.config.SystemdCgroup, passSeccomp) k.handleShm(grpcSpec, sandbox) diff --git a/virtcontainers/kata_agent_test.go b/virtcontainers/kata_agent_test.go index f34473dc22..3dc9180de9 100644 --- a/virtcontainers/kata_agent_test.go +++ b/virtcontainers/kata_agent_test.go @@ -471,11 +471,11 @@ func TestConstraintGRPCSpec(t *testing.T) { }, } - constraintGRPCSpec(g, true) + constraintGRPCSpec(g, true, true) // check nil fields assert.Nil(g.Hooks) - assert.Nil(g.Linux.Seccomp) + assert.NotNil(g.Linux.Seccomp) assert.Nil(g.Linux.Resources.Devices) assert.NotNil(g.Linux.Resources.Memory) assert.Nil(g.Linux.Resources.Pids) diff --git a/virtcontainers/pkg/oci/utils.go b/virtcontainers/pkg/oci/utils.go index 4fe588353d..0bd7e4b4a0 100644 --- a/virtcontainers/pkg/oci/utils.go +++ b/virtcontainers/pkg/oci/utils.go @@ -122,6 +122,9 @@ type RuntimeConfig struct { Debug bool Trace bool + //Determines if seccomp should be applied inside guest + DisableGuestSeccomp bool + //Determines if create a netns for hypervisor process DisableNewNetNs bool } @@ -489,6 +492,8 @@ func SandboxConfig(ocispec CompatOCISpec, runtime RuntimeConfig, bundlePath, cid ShmSize: shmSize, SystemdCgroup: systemdCgroup, + + DisableGuestSeccomp: runtime.DisableGuestSeccomp, } addAssetAnnotations(ocispec, &sandboxConfig) diff --git a/virtcontainers/sandbox.go b/virtcontainers/sandbox.go index fb66ad119f..6a0c45c28d 100644 --- a/virtcontainers/sandbox.go +++ b/virtcontainers/sandbox.go @@ -361,6 +361,8 @@ type SandboxConfig struct { // SystemdCgroup enables systemd cgroup support SystemdCgroup bool + + DisableGuestSeccomp bool } func (s *Sandbox) trace(name string) (opentracing.Span, context.Context) { @@ -490,9 +492,10 @@ type Sandbox struct { wg *sync.WaitGroup - shmSize uint64 - sharePidNs bool - stateful bool + shmSize uint64 + sharePidNs bool + stateful bool + seccompSupported bool ctx context.Context @@ -734,6 +737,10 @@ func (s *Sandbox) getAndStoreGuestDetails() error { if guestDetailRes != nil { s.state.GuestMemoryBlockSizeMB = uint32(guestDetailRes.MemBlockSizeBytes >> 20) + if guestDetailRes.AgentDetails != nil { + s.seccompSupported = guestDetailRes.AgentDetails.SupportsSeccomp + } + if err = s.storage.storeSandboxResource(s.id, stateFileType, s.state); err != nil { return err }