Skip to content

Extend experiment seccomp program#3464

Merged
saku3 merged 47 commits intoyouki-dev:mainfrom
sat0ken:extend-experiment-seccomp
Apr 7, 2026
Merged

Extend experiment seccomp program#3464
saku3 merged 47 commits intoyouki-dev:mainfrom
sat0ken:extend-experiment-seccomp

Conversation

@sat0ken
Copy link
Copy Markdown
Contributor

@sat0ken sat0ken commented Mar 17, 2026

Description

working #2724

// sorry for this PR is difficult to review.
// sorry for my mistake PR Closed #3463. Re open it

・add json file for more test case and create example dir
・some function copy to libcontainer/seccomp
・add check argument of system call
・bpf jmp instruction cannot jump more than 255. If the number of system calls exceeds 255, it will be split.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)
  • Performance improvement
  • Test updates
  • CI/CD related changes
  • Other (please describe):

Testing

  • Added new unit tests
  • Added new integration tests
  • Ran existing test suite
  • Tested manually (please provide steps)
  1. download test program from my repo.
  2. go build & go run
  3. run cargo run --example readjson
  4. compare print bpf code stdout step 2 and 3.

Related Issues

Fixes #

Additional Context

sat0ken and others added 30 commits March 17, 2026 23:51
@sat0ken
update seccomp program of update method and add function
bafe684 
- add default error return code to InstructionData
- add action to Rule
- add action to fn new of Rule and fix test code
- add seccomp compare op code to const
- ported function from libcontainer of seccomp
- update Cargo.toml and lock
- add const of seccomp flags
- add flags to InstructionData
- add derive
- improve implementation to generate filter from LinuxSeccomp
- update main.rs to use oci_spec
- fix format

Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
implementation From trait
411d5bc 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
implement seccomp flags if config.json define
189f9a2 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
add BPF Instruction to validate
b6935ed 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
add fn to get nr offset from seccomp_data
c7f3bb0 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
modify generate BPF program order
e2ab133 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
implement check args of seccomp program and add test code
31b4379 
- modify systemcall of args check logic
- add for test code and add serde to use json
- update gen_validate
- update seccomp_data_args_offset to get args index
- add file for test
- update check argument code
- update check argument code
- fix test code
- remove unusual args from fn to_instruction_with_args
- add test code
- add test case with args
- add test for arm64

Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
move test json file to tests
89f21fc 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change to return Result
d2af7a3 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change fn seccomp_data_args_offset to return Result
74b9b45 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
to change return Result, add unwrap
e90a95d 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
run cargo fmt
2a603e6 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
fix offset size
b6e6575 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
add design pattern to rule
8553674 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change method to return Result
7bc22e0 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change method name
e08d3f6 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
improve multipul variable set to use is_none method
a78e141 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
fix test code
c55e436 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
insert BPF_JMP to new to omit code
95e39db 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
omit BPM_JMP from code
122f266 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
add check argument count
3c02e29 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
fix if value is 0, set the value
f305bed 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
fix for cargo clippy
b32b1f0 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change argument string to Path
3a1f25c 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change to return Result and remove unwrap
016e768 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change struct name InstructionData to SeccompProgramPlan
2ade7c2 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
implement TryFrom to SeccompProgramPlan
415bae2 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
update oci-spec-rs
eaa47ca 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
errno correctly set to the value of action
87cfb8e 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
refactoring testutils.rs to use oci-spec-rs to parse json
22e6347 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
sat0ken added 11 commits March 17, 2026 23:59
@sat0ken
refactor fn try_from to separate logic
22d4a2f 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
fix test code and refactor
690a922 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change type of syscall Vec<String> to Vec<u64> to sort
29ea7a6 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
add const to jump_num
15d0a31 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
cargo fmt
ada6110 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
minor update for test
03ac32b 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
create example dir and move main.rs
02ae9b3 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
fix typo
400e59c 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
update package and toolchain
e81c9d0 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
cargo fmt
9a0dcbf 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
remove unused package
c1dc2bc 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@saku3 saku3 added the kind/experimental `/experimental` label Mar 18, 2026
@sat0ken sat0ken mentioned this pull request Mar 19, 2026
Open
4 tasks
sat0ken added 4 commits April 1, 2026 23:48
@sat0ken
organize tests dir
8c0cc0c 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
update Cargo.toml
66cd3b7 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
add readjson file by libseccomp
3d8a29d 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
update README
107f1f0 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
Copy link
Copy Markdown
Contributor Author

sat0ken commented Apr 1, 2026
edited
Loading

I write below about disscussed with @saku3 and agreed.

  • structure do like this
experiment/seccomp/
  ├── src/
  │   ├── instruction/
  │   ├── lib.rs
  │   ├── seccomp.rs
  └── tests/
      ├── readjson.rs
      ├── filter.rs
      └── helpers/
          └── mod.rs
  • tokio by using example code, mark as dev-dependencies in Cargo.toml
  • To compare output of bpf instruction, add code about read json file by using libseccomp-rs

@sat0ken
cargo fmt
741354b 
fix warning

Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
saku3
saku3 approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@saku3 saku3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for PR!

We are working toward our own seccomp implementation so that we can remove the dependency on libseccomp.

At the moment, both @sat0ken and I recognize that there are still several issues in the current PR.
Since the PR has grown quite large, we would like to merge it at this stage and continue improving it in follow-up PRs.

As of now, this functionality should not impact youki itself at this point so merging it will not break youki.

experiment/seccomp/src/seccomp.rs Outdated

#[test]
fn test_build_instruction_with_args_x86_equal() {
let persolality = get_syscall_number(&Arch::X86, "personality").unwrap();
Copy link
Copy Markdown
Member

@saku3 saku3 Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
let persolality = get_syscall_number(&Arch::X86, "personality").unwrap();
let personality = get_syscall_number(&Arch::X86, "personality").unwrap();

Copy link
Copy Markdown
Contributor Author

@sat0ken sat0ken Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed.

716a547

experiment/seccomp/src/seccomp.rs Outdated
(rule.args.unwrap().arg0 >> 32) as c_uint,
));

// lower 32bit check of
Copy link
Copy Markdown
Member

@saku3 saku3 Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// lower 32bit check of
// lower 32bit check of args

Copy link
Copy Markdown
Contributor Author

@sat0ken sat0ken Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed.

716a547

@sat0ken
fix typo
716a547 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@saku3 saku3 merged commit 11e2610 into youki-dev:main Apr 7, 2026
28 checks passed
@github-actions github-actions bot mentioned this pull request Apr 7, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saku3 saku3 saku3 approved these changes

Assignees

No one assigned

Labels

kind/experimental `/experimental`

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sat0ken @saku3