Skip to content

Commit

Permalink
Merge pull request opencontainers#3109 from kolyshkin/seccomp
Browse files Browse the repository at this point in the history
seccomp: skip redundant rules
  • Loading branch information
Mrunal Patel authored Aug 4, 2021
2 parents 64b3fe9 + 5dd92fd commit 8772c4d
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 14 deletions.
4 changes: 1 addition & 3 deletions libcontainer/seccomp/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,7 @@ func ConvertStringToOperator(in string) (configs.Operator, error) {
}

// ConvertStringToAction converts a string into a Seccomp rule match action.
// Actions use the names they are assigned in Libseccomp's header, though some
// (notable, SCMP_ACT_TRACE) are not available in this implementation and will
// return errors.
// Actions use the names they are assigned in Libseccomp's header.
// Attempting to convert a string that is not a valid action results in an
// error.
func ConvertStringToAction(in string) (configs.Action, error) {
Expand Down
29 changes: 18 additions & 11 deletions libcontainer/seccomp/seccomp_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,12 @@ import (
"errors"
"fmt"

"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/seccomp/patchbpf"

libseccomp "github.com/seccomp/libseccomp-golang"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"

"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/seccomp/patchbpf"
)

var (
Expand Down Expand Up @@ -67,7 +68,7 @@ func InitSeccomp(config *configs.Seccomp) error {
if call == nil {
return errors.New("encountered nil syscall while initializing Seccomp")
}
if err := matchCall(filter, call); err != nil {
if err := matchCall(filter, call, defaultAction); err != nil {
return err
}
}
Expand Down Expand Up @@ -142,7 +143,7 @@ func getCondition(arg *configs.Arg) (libseccomp.ScmpCondition, error) {
}

// Add a rule to match a single syscall
func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall, defAct libseccomp.ScmpAction) error {
if call == nil || filter == nil {
return errors.New("cannot use nil as syscall to block")
}
Expand All @@ -151,17 +152,23 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
return errors.New("empty string is not a valid syscall")
}

// If we can't resolve the syscall, assume it's not supported on this kernel
// Ignore it, don't error out
callNum, err := libseccomp.GetSyscallFromName(call.Name)
// Convert the call's action to the libseccomp equivalent
callAct, err := getAction(call.Action, call.ErrnoRet)
if err != nil {
return fmt.Errorf("action in seccomp profile is invalid: %w", err)
}
if callAct == defAct {
// This rule is redundant, silently skip it
// to avoid error from AddRule.
return nil
}

// Convert the call's action to the libseccomp equivalent
callAct, err := getAction(call.Action, call.ErrnoRet)
// If we can't resolve the syscall, assume it is not supported
// by this kernel. Warn about it, don't error out.
callNum, err := libseccomp.GetSyscallFromName(call.Name)
if err != nil {
return fmt.Errorf("action in seccomp profile is invalid: %w", err)
logrus.Debugf("unknown seccomp syscall %q ignored", call.Name)
return nil
}

// Unconditional match - just add the rule
Expand Down
12 changes: 12 additions & 0 deletions tests/integration/start_hello.bats
Original file line number Diff line number Diff line change
Expand Up @@ -76,3 +76,15 @@ function teardown() {
runc run test_hello
[ "$status" -eq 0 ]
}

@test "runc run [redundant seccomp rules]" {
update_config ' .linux.seccomp = {
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [{
"names": ["bdflush"],
"action": "SCMP_ACT_ALLOW",
}]
}'
runc run test_hello
[ "$status" -eq 0 ]
}

0 comments on commit 8772c4d

Please sign in to comment.