api: add seccomp adjustment

This adds an adjustment for seccomp policies. The intent is that people can
wholesale replace policies, or parse them, make some changes, and then send
them back. Sending them *to* NRI via containerd requires some containerd
patches as well, those are here: https://github.com/tych0/containerd/commits/nri-seccomp/

Specifically, we are interested in making the listenerPath of the policy
dynamic based on a k8s pod spec, so we can't use the Localhost custom
policy (well, we can use most of it, except for listenerPath, which we have
an NRI plugin to change based on this code).

This patch is a lot of boilerplate, which is unfortunate. There is a much
smaller but similar patch:
tych0@a70547a
but it involves directly serializing a runtime-spec string

Finally, note the comment in generate.go: the runtime-tools generate code
does not have complete coverage for seccomp stuff, so I opted to not use
any of it, vs. adding more stuff to runtime-tools. The fact that there are
human and computer names is also confusing, it seems like we should stick
to the computer names for this particular interface.

Signed-off-by: Tycho Andersen <tycho@tycho.pizza>

Author: tych0

pkg/adaptation/api.go

@@ -78,6 +78,7 @@ type (
 	LinuxMemory              = api.LinuxMemory
 	LinuxDevice              = api.LinuxDevice
 	LinuxDeviceCgroup        = api.LinuxDeviceCgroup
+	LinuxSeccomp             = api.LinuxSeccomp
 	CDIDevice                = api.CDIDevice
 	HugepageLimit            = api.HugepageLimit
 	Hooks                    = api.Hooks

pkg/adaptation/result.go

@@ -219,6 +219,9 @@ func (r *result) adjust(rpl *ContainerAdjustment, plugin string) error {
 		if err := r.adjustOomScoreAdj(rpl.Linux.OomScoreAdj, plugin); err != nil {
 			return err
 		}
+		if err := r.adjustSeccompPolicy(rpl.Linux.SeccompPolicy, plugin); err != nil {
+			return err
+		}
 	}
 	if err := r.adjustRlimits(rpl.Rlimits, plugin); err != nil {
 		return err
@@ -738,6 +741,22 @@ func (r *result) adjustOomScoreAdj(OomScoreAdj *OptionalInt, plugin string) erro
 	return nil
 }
 
+func (r *result) adjustSeccompPolicy(adjustment *LinuxSeccomp, plugin string) error {
+	if adjustment == nil {
+		return nil
+	}
+	create, id := r.request.create, r.request.create.Container.Id
+
+	if err := r.owners.claimSeccompPolicy(id, plugin); err != nil {
+		return err
+	}
+
+	create.Container.Linux.SeccompPolicy = adjustment
+	r.reply.adjust.Linux.SeccompPolicy = adjustment
+
+	return nil
+}
+
 func (r *result) adjustRlimits(rlimits []*POSIXRlimit, plugin string) error {
 	create, id, adjust := r.request.create, r.request.create.Container.Id, r.reply.adjust
 	for _, l := range rlimits {
@@ -976,6 +995,7 @@ type owners struct {
 	unified             map[string]string
 	cgroupsPath         string
 	oomScoreAdj         string
+	seccompPolicy       string
 	rlimits             map[string]string
 }
 
@@ -1096,6 +1116,10 @@ func (ro resultOwners) claimOomScoreAdj(id, plugin string) error {
 	return ro.ownersFor(id).claimOomScoreAdj(plugin)
 }
 
+func (ro resultOwners) claimSeccompPolicy(id, plugin string) error {
+	return ro.ownersFor(id).claimSeccompPolicy(plugin)
+}
+
 func (ro resultOwners) claimRlimits(id, typ, plugin string) error {
 	return ro.ownersFor(id).claimRlimit(typ, plugin)
 }
@@ -1349,6 +1373,14 @@ func (o *owners) claimOomScoreAdj(plugin string) error {
 	return nil
 }
 
+func (o *owners) claimSeccompPolicy(plugin string) error {
+	if other := o.seccompPolicy; other != "" {
+		return conflict(plugin, other, "seccomp policy")
+	}
+	o.seccompPolicy = plugin
+	return nil
+}
+
 func (ro resultOwners) clearAnnotation(id, key string) {
 	ro.ownersFor(id).clearAnnotation(key)
 }