Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qm: add seccomp json also deny sched_setscheduler #362

Merged
merged 1 commit into from
Apr 16, 2024
Merged

qm: add seccomp json also deny sched_setscheduler #362

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion qm.container
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ AddDevice=-/dev/fuse
ContainerName=qm
Exec=/sbin/init
Network=host
PodmanArgs=--pids-limit=-1 --security-opt label=nested --security-opt unmask=all
PodmanArgs=--pids-limit=-1 --security-opt seccomp=/usr/share/qm/seccomp.json --security-opt label=nested --security-opt unmask=all
ReadOnly=true
# FIXME: QM is failing to start podman command
# Add back once this ReadOnlyTmpfs added to quadlet
Expand Down
1 change: 1 addition & 0 deletions rpm/qm.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ BuildRequires: pkgconfig(systemd)
BuildRequires: selinux-policy >= %_selinux_policy_version
BuildRequires: selinux-policy-devel >= %_selinux_policy_version

Requires: containers-common
Requires: selinux-policy >= %_selinux_policy_version
Requires(post): selinux-policy-base >= %_selinux_policy_version
Requires(post): selinux-policy-targeted >= %_selinux_policy_version
Expand Down
31 changes: 31 additions & 0 deletions setup
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,34 @@ create_rootfs_required_dirs() {

}

create_qm_seccomp_rules() {
TEMP_SECCOMP=$(mktemp)
SECCOMP_FILE_PATH="/usr/share/containers/seccomp.json"
QM_PATH_SECCOMP="/usr/share/qm/seccomp.json"

if [ ! -f "${SECCOMP_FILE_PATH}" ]; then
rm -f "${TEMP_SECCOMP}"
echo "Exiting... unable to find ${SECCOMP_FILE_PATH}"
exit 1
fi

# Copying original seccomp.json
cp "${SECCOMP_FILE_PATH}" "${QM_PATH_SECCOMP}"

# seccomp.json can be updated, we should get it from the source and adapt it.
echo "- Removing sched_setscheduler() as allowed syscall"
# make sure create a fresh seccomp.json for QM and remove allow permission for sched_setscheduler() syscall
jq --tab '(.syscalls[] | select(.names[] == "sched_setscheduler" and .action == "SCMP_ACT_ALLOW") .names) |= map(select(. != "sched_setscheduler"))' "${SECCOMP_FILE_PATH}" > "${TEMP_SECCOMP}"

echo "- Adding sched_setscheduler() into the deny list"
# Add sched_setscheduler to the deny list
jq --tab '.syscalls += [{"names": ["sched_setscheduler"], "action": "SCMP_ACT_ERRNO", "args": [], "errnoRet": 1, "errno": "EPERM"}]' "${TEMP_SECCOMP}" > "${QM_PATH_SECCOMP}"

rm -f "${TEMP_SECCOMP}"
echo -e "\ndone"

}

install() {
ROOTFS=$1
RWETCFS=$2
Expand Down Expand Up @@ -204,6 +232,9 @@ eval set --"${opts}"
# main()
root_check

# Create a QM seccomp.json before start the QM daemon
create_qm_seccomp_rules

while [[ $# -gt 0 ]]; do
case "$1" in
--installdir)
Expand Down
Loading