From 4a751b05a9508dd77ff65f22d5d2cd8f8ba948a8 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 9 Sep 2021 14:48:01 +1000 Subject: [PATCH 1/2] seccomp: drop unnecessary const SCMP_ACT_* defines These are just boilerplate and are only really useful for the two actions which require us to set a default errno/aux value (ActErrno and ActTrace). Signed-off-by: Aleksa Sarai --- libcontainer/seccomp/seccomp_linux.go | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go index ad599e994..2ec35464c 100644 --- a/libcontainer/seccomp/seccomp_linux.go +++ b/libcontainer/seccomp/seccomp_linux.go @@ -16,13 +16,8 @@ import ( ) var ( - actAllow = libseccomp.ActAllow - actTrap = libseccomp.ActTrap - actKill = libseccomp.ActKill - actTrace = libseccomp.ActTrace.SetReturnCode(int16(unix.EPERM)) - actLog = libseccomp.ActLog - actErrno = libseccomp.ActErrno.SetReturnCode(int16(unix.EPERM)) - actNotify = libseccomp.ActNotify + actTrace = libseccomp.ActTrace.SetReturnCode(int16(unix.EPERM)) + actErrno = libseccomp.ActErrno.SetReturnCode(int16(unix.EPERM)) ) const ( @@ -71,7 +66,7 @@ func InitSeccomp(config *configs.Seccomp) (int, error) { } // See comment on why write is not allowed. The same reason applies, as this can mean handling write too. - if defaultAction == actNotify { + if defaultAction == libseccomp.ActNotify { return -1, errors.New("SCMP_ACT_NOTIFY cannot be used as default action") } @@ -119,25 +114,25 @@ func InitSeccomp(config *configs.Seccomp) (int, error) { func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error) { switch act { case configs.Kill: - return actKill, nil + return libseccomp.ActKill, nil case configs.Errno: if errnoRet != nil { return libseccomp.ActErrno.SetReturnCode(int16(*errnoRet)), nil } return actErrno, nil case configs.Trap: - return actTrap, nil + return libseccomp.ActTrap, nil case configs.Allow: - return actAllow, nil + return libseccomp.ActAllow, nil case configs.Trace: if errnoRet != nil { return libseccomp.ActTrace.SetReturnCode(int16(*errnoRet)), nil } return actTrace, nil case configs.Log: - return actLog, nil + return libseccomp.ActLog, nil case configs.Notify: - return actNotify, nil + return libseccomp.ActNotify, nil default: return libseccomp.ActInvalid, errors.New("invalid action, cannot use in rule") } From 4a4d4f109b6b257a7189e946d9f1858a3ac8e010 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Wed, 28 Jul 2021 08:55:32 +0200 Subject: [PATCH 2/2] Add support for seccomp actions ActKillThread and ActKillProcess Two new seccomp actions have been added to the libseccomp-golang dependency, which can be now supported by runc, too. ActKillThread kills the thread that violated the rule. It is the same as ActKill. All other threads from the same thread group will continue to execute. ActKillProcess kills the process that violated the rule. All threads in the thread group are also terminated. This action is only usable when libseccomp API level 3 or higher is supported. Signed-off-by: Sascha Grunert Signed-off-by: Aleksa Sarai --- libcontainer/configs/config.go | 2 ++ libcontainer/seccomp/seccomp_linux.go | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go index e0db8e017..329f05ccb 100644 --- a/libcontainer/configs/config.go +++ b/libcontainer/configs/config.go @@ -50,6 +50,8 @@ const ( Trace Log Notify + KillThread + KillProcess ) // Operator is a comparison operator to be used when matching syscall arguments in Seccomp diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go index 2ec35464c..f552aba48 100644 --- a/libcontainer/seccomp/seccomp_linux.go +++ b/libcontainer/seccomp/seccomp_linux.go @@ -133,6 +133,10 @@ func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error return libseccomp.ActLog, nil case configs.Notify: return libseccomp.ActNotify, nil + case configs.KillThread: + return libseccomp.ActKillThread, nil + case configs.KillProcess: + return libseccomp.ActKillProcess, nil default: return libseccomp.ActInvalid, errors.New("invalid action, cannot use in rule") }