Add seccomp support.

Author: shishir-a412ed

containerd/containerd.go

@@ -24,6 +24,7 @@ import (
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
+	"github.com/containerd/containerd/contrib/seccomp"
 	"github.com/containerd/containerd/oci"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )
@@ -65,6 +66,12 @@ func (d *Driver) createContainer(image containerd.Image, containerName, containe
 		opts = append(opts, oci.WithPrivileged)
 	}
 
+	// Enable default seccomp profile.
+	// Allowed syscalls for the default seccomp profile: https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go#L51-L390
+	if config.Seccomp {
+		opts = append(opts, seccomp.WithDefaultProfile())
+	}
+
 	// Launch container in read-only mode.
 	if config.ReadOnlyRootfs {
 		opts = append(opts, oci.WithRootFSReadonly())

containerd/driver.go

@@ -92,6 +92,7 @@ var (
 		"cap_drop":        hclspec.NewAttr("cap_drop", "list(string)", false),
 		"devices":         hclspec.NewAttr("devices", "list(string)", false),
 		"privileged":      hclspec.NewAttr("privileged", "bool", false),
+		"seccomp":         hclspec.NewAttr("seccomp", "bool", false),
 		"readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false),
 		"host_network":    hclspec.NewAttr("host_network", "bool", false),
 		"mounts": hclspec.NewBlockList("mounts", hclspec.NewObject(map[string]*hclspec.Spec{
@@ -140,6 +141,7 @@ type TaskConfig struct {
 	CapAdd         []string `codec:"cap_add"`
 	CapDrop        []string `codec:"cap_drop"`
 	Devices        []string `codec:"devices"`
+	Seccomp        bool     `codec:"seccomp"`
 	Privileged     bool     `codec:"privileged"`
 	ReadOnlyRootfs bool     `codec:"readonly_rootfs"`
 	HostNetwork    bool     `codec:"host_network"`