seccomp: custom annotation to load raw bpf

giuseppe · giuseppe · commit 30ad2a7f28f5 · 2021-01-26T19:21:24.000+01:00
Add an annotation `run.oci.seccomp_bpf_data` to ignore the seccomp
section in the OCI configuration file and use the specified file as
the raw data to the `seccomp(SECCOMP_SET_MODE_FILTER)` syscall.

Signed-off-by: Giuseppe Scrivano &lt;gscrivan@redhat.com&gt;
diff --git a/crun.1 b/crun.1
@@ -467,6 +467,12 @@ are available on the \fB\fCld.so(8)\fR man page.
 If the annotation \fB\fCrun.oci.seccomp\_fail\_unknown\_syscall\fR is present, then crun
 will fail when an unknown syscall is encountered in the seccomp configuration.
 
+.SH \fB\fCrun.oci.seccomp\_bpf\_data\fR
+.PP
+If the annotation \fB\fCrun.oci.seccomp\_bpf\_data\fR is present, then crun
+ignores the seccomp section in the OCI configuration file and use the specified file
+as the raw data to the \fB\fCseccomp(SECCOMP\_SET\_MODE\_FILTER)\fR syscall.
+
 .SH \fB\fCrun.oci.keep\_original\_groups=1\fR
 .PP
 If the annotation \fB\fCrun.oci.keep\_original\_groups\fR is present, then crun
diff --git a/crun.1.md b/crun.1.md
@@ -371,6 +371,12 @@ are available on the `ld.so(8)` man page.
 If the annotation `run.oci.seccomp_fail_unknown_syscall` is present, then crun
 will fail when an unknown syscall is encountered in the seccomp configuration.
 
+## `run.oci.seccomp_bpf_data`
+
+If the annotation `run.oci.seccomp_bpf_data` is present, then crun
+ignores the seccomp section in the OCI configuration file and use the specified file
+as the raw data to the `seccomp(SECCOMP_SET_MODE_FILTER)` syscall.
+
 ## `run.oci.keep_original_groups=1`
 
 If the annotation `run.oci.keep_original_groups` is present, then crun
diff --git a/src/libcrun/container.c b/src/libcrun/container.c
@@ -1950,6 +1950,21 @@ libcrun_container_run_internal (libcrun_container_t *container, libcrun_context_
       if (annotation && strcmp (annotation, "0") != 0)
         seccomp_gen_options = LIBCRUN_SECCOMP_FAIL_UNKNOWN_SYSCALL;
 
+      annotation = find_annotation (container, "run.oci.seccomp_bpf_data");
+      if (annotation)
+        {
+          cleanup_free char *file_content = NULL;
+          size_t size;
+
+          ret = read_all_file (annotation, &file_content, &size, err);
+          if (UNLIKELY (ret < 0))
+            return ret;
+
+          ret = safe_write (seccomp_fd, file_content, (ssize_t) size);
+          if (UNLIKELY (ret < 0))
+            return crun_make_error (err, 0, "write to seccomp fd");
+        }
+
       ret = libcrun_generate_seccomp (container, seccomp_fd, seccomp_gen_options, err);
       if (UNLIKELY (ret < 0))
         return cleanup_watch (context, pid, sync_socket, terminal_fd, err);
