Add Seccomp Notify support

alban · alban · commit 483dfbf77aa4 · 2020-10-22T17:53:35.000+02:00
This adds the specification for Seccomp Userspace Notification and the Golang bindings. This contains: - A new OCI hook "sendSeccompFd" used to pass the seccompfd to an external seccomp agent via the hook. - Additional fields for the container state to give information about the file descriptors passed for seccomp. This was discussed in the OCI Weekly Discussion on September 16th, 2020, see: - https://hackmd.io/El8Dd2xrTlCaCG59ns5cwg#September-16-2020 - https://docs.google.com/document/d/1xHw5GQjMj6ZKR-40aKmTWZRkvlPuzMGQRu-YpOFQc30/edit Documentation for this feature: - https://www.kernel.org/doc/html/v5.0/userspace-api/seccomp_filter.html#userspace-notification - man pages: seccomp_user_notif.2 at https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/log/?h=seccomp_user_notif - brauner's blog: https://brauner.github.io/2020/07/23/seccomp-notify.html This PR is an alternative proposal to PR 1038. Signed-off-by: Alban Crequy <alban@kinvolk.io>
diff --git a/config-linux.md b/config-linux.md
@@ -642,6 +642,7 @@ The following parameters can be specified to set up seccomp:
         * `SCMP_ACT_TRACE`
         * `SCMP_ACT_ALLOW`
         * `SCMP_ACT_LOG`
+        * `SCMP_ACT_NOTIFY`
 
     * **`errnoRet`** *(uint, OPTIONAL)* - the errno return code to use.
         Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno
diff --git a/config.md b/config.md
@@ -412,6 +412,11 @@ For POSIX platforms, the configuration structure supports `hooks` for configurin
         * Entries in the array have the same schema as `createRuntime` entries.
         * The value of `path` MUST resolve in the [runtime namespace](glossary.md#runtime-namespace).
         * The `poststop` hooks MUST be executed in the [runtime namespace](glossary.md#runtime-namespace).
+    * **`sendSeccompFd`** (array of objects, OPTIONAL) is an array of [`sendSeccompFd` hooks](#sendseccompfd).
+        * Entries in the array have the same schema as `createRuntime` entries.
+        * The value of `path` MUST resolve in the [runtime namespace](glossary.md#runtime-namespace).
+        * The `sendSeccompFd` hooks MUST be executed in the [runtime namespace](glossary.md#runtime-namespace).
+        * The [state](runtime.md#state) passed to hooks over stdin contains an additional payload with the seccomp file descriptor.
 
 Hooks allow users to specify programs to run before or after various lifecycle events.
 Hooks MUST be called in the listed order.
@@ -476,6 +481,16 @@ Cleanup or debugging functions are examples of such a hook.
 The `poststop` hooks' path MUST resolve in the [runtime namespace](glossary.md#runtime-namespace).
 The `poststop` hooks MUST be executed in the [runtime namespace](glossary.md#runtime-namespace).
 
+### <a name="configHooksSendSeccompFd" />SendSeccompFd
+
+The `sendSeccompFd` hooks is only called if the seccomp policy contains `SCMP_ACT_NOTIFY`.
+
+The `sendSeccompFd` hooks MUST be called after the [`start`](runtime.md#start) operation is called and after the seccomp policy is installed but [before the user-specified program command is executed](runtime.md#lifecycle).
+The goal of this hook is to pass the seccomp file descriptor to a seccomp agent.
+
+The `sendSeccompFd` hooks' path MUST resolve in the [runtime namespace](glossary.md#runtime-namespace).
+The `peccompFdoststop` hooks MUST be executed in the [runtime namespace](glossary.md#runtime-namespace).
+
 ### Summary
 
 See the below table for a summary of hooks and when they are called:
@@ -488,6 +503,7 @@ See the below table for a summary of hooks and when they are called:
 | `startContainer`        | container | After the start operation is called but before the user-specified program command is executed.                                     |
 | `poststart`             | runtime   | After the user-specified process is executed but before the start operation returns.                                               |
 | `poststop`              | runtime   | After the container is deleted but before the delete operation returns.                                                            |
+| `sendSeccompFd`         | runtime   | After the start operation is called but before the user-specified program command is executed.                                     |
 
 ### Example
 
@@ -536,6 +552,13 @@ See the below table for a summary of hooks and when they are called:
             "path": "/usr/sbin/cleanup.sh",
             "args": ["cleanup.sh", "-f"]
         }
+    ],
+    "sendSeccompFd": [
+        {
+            "path": "/usr/bin/seccomp-agent",
+            "args": ["seccomp-agent", "--allow-mknods=/dev/null,/dev/net/tun"],
+            "env":  [ "key1=value1"]
+        }
     ]
 }
 ```
diff --git a/runtime.md b/runtime.md
@@ -29,6 +29,7 @@ The state of a container includes the following properties:
     This is provided so that consumers can find the container's configuration and root filesystem on the host.
 * **`annotations`** (map, OPTIONAL) contains the list of annotations associated with the container.
     If no annotations were provided then this property MAY either be absent or an empty map.
+* **`seccomp`** (map, OPTIONAL) contains additional TODO.
 
 The state MAY include additional properties.
 
diff --git a/schema/config-schema.json b/schema/config-schema.json
@@ -26,6 +26,9 @@
                 },
                 "poststop": {
                     "$ref": "defs.json#/definitions/ArrayOfHooks"
+                },
+                "sendSeccompFd": {
+                    "$ref": "defs.json#/definitions/ArrayOfHooks"
                 }
             }
         },
diff --git a/schema/defs-linux.json b/schema/defs-linux.json
@@ -60,7 +60,8 @@
                 "SCMP_ACT_ERRNO",
                 "SCMP_ACT_TRACE",
                 "SCMP_ACT_ALLOW",
-                "SCMP_ACT_LOG"
+                "SCMP_ACT_LOG",
+                "SCMP_ACT_NOTIFY"
             ]
         },
         "SeccompFlag": {
diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json
@@ -191,6 +191,13 @@
                     "-f"
                 ]
             }
+        ],
+        "sendSeccompFd": [
+            {
+                "path": "/usr/bin/seccomp-agent",
+                "args": ["seccomp-agent", "--allow-mknods=/dev/null,/dev/net/tun"],
+                "env":  [ "key1=value1"]
+            }
         ]
     },
     "linux": {
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -134,6 +134,9 @@ type Hooks struct {
 	// CreateRuntime is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called
 	// It is called in the Runtime Namespace
 	CreateRuntime []Hook `json:"createRuntime,omitempty"`
+	// SendSeccompFd is a list of hooks to be run after a new seccomp fd is created
+	// It is called in the Runtime Namespace
+	SendSeccompFd []Hook `json:"sendSeccompFd,omitempty"`
 	// CreateContainer is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called
 	// It is called in the Container Namespace
 	CreateContainer []Hook `json:"createContainer,omitempty"`
@@ -646,6 +649,7 @@ const (
 	ActTrace       LinuxSeccompAction = "SCMP_ACT_TRACE"
 	ActAllow       LinuxSeccompAction = "SCMP_ACT_ALLOW"
 	ActLog         LinuxSeccompAction = "SCMP_ACT_LOG"
+	ActNotify      LinuxSeccompAction = "SCMP_ACT_NOTIFY"
 )
 
 // LinuxSeccompOperator used to match syscall arguments in Seccomp
diff --git a/specs-go/state.go b/specs-go/state.go
@@ -5,17 +5,17 @@ type ContainerState string
 
 const (
 	// StateCreating indicates that the container is being created
-	StateCreating ContainerState  = "creating"
+	StateCreating ContainerState = "creating"
 
 	// StateCreated indicates that the runtime has finished the create operation
-	StateCreated ContainerState  = "created"
+	StateCreated ContainerState = "created"
 
 	// StateRunning indicates that the container process has executed the
 	// user-specified program but has not exited
-	StateRunning ContainerState  = "running"
+	StateRunning ContainerState = "running"
 
 	// StateStopped indicates that the container process has exited
-	StateStopped ContainerState  = "stopped"
+	StateStopped ContainerState = "stopped"
 )
 
 // State holds information about the runtime state of the container.
@@ -32,4 +32,6 @@ type State struct {
 	Bundle string `json:"bundle"`
 	// Annotations are key values associated with the container.
 	Annotations map[string]string `json:"annotations,omitempty"`
+
+	SeccompFd int `json:"seccompFd"`
 }

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,9 @@`
`26`	`26`	`},`
`27`	`27`	`"poststop": {`
`28`	`28`	`"$ref": "defs.json#/definitions/ArrayOfHooks"`
	`29`	`+ },`
	`30`	`+ "sendSeccompFd": {`
	`31`	`+ "$ref": "defs.json#/definitions/ArrayOfHooks"`
`29`	`32`	`}`
`30`	`33`	`}`
`31`	`34`	`},`
Original file line number	Diff line number	Diff line change
`@@ -191,6 +191,13 @@`
`191`	`191`	`"-f"`
`192`	`192`	`]`
`193`	`193`	`}`
	`194`	`+ ],`
	`195`	`+ "sendSeccompFd": [`
	`196`	`+ {`
	`197`	`+ "path": "/usr/bin/seccomp-agent",`
	`198`	`+ "args": ["seccomp-agent", "--allow-mknods=/dev/null,/dev/net/tun"],`
	`199`	`+ "env": [ "key1=value1"]`
	`200`	`+ }`
`194`	`201`	`]`
`195`	`202`	`},`
`196`	`203`	`"linux": {`