Implement the seccomp profile

yihuaf · Sep 15, 2021 · 052ba25 · 052ba25
1 parent c0a344e
commit 052ba25
Show file tree

Hide file tree

Showing 9 changed files with 1,407 additions and 14 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -43,7 +43,7 @@ jobs:
           working-directory: ./cgroups
       - run: rustup component add rustfmt clippy
       - run: sudo apt-get -y update
-      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev
+      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev
       - name: Check formatting
         run: cargo fmt --all -- --check
         working-directory: ${{matrix.dirs}}
@@ -68,7 +68,7 @@ jobs:
         with:
           working-directory: ./cgroups
       - run: sudo apt-get -y update
-      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev
+      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev
       - name: Run tests
         run: cargo test --all --all-features --no-fail-fast
   coverage:
@@ -98,7 +98,7 @@ jobs:
       - name: Update System Libraries
         run: sudo apt-get -y update
       - name: Install System Libraries
-        run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev
+        run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev
       - name: Run Test Coverage for youki
         run: |
           cargo llvm-cov clean --workspace
@@ -143,7 +143,7 @@ jobs:
         with:
           working-directory: ./cgroups
       - run: sudo apt-get -y update
-      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev
+      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev
       - name: Build
         run: ./build.sh --release
       - uses: actions/setup-go@v2

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -41,6 +41,7 @@ dbus = "0.9.2"
 tabwriter = "1"
 fastrand = "1.4.1"
 crossbeam-channel = "0.5"
+seccomp-sys = { git = "https://github.com/polachok/seccomp-sys.git", rev = "9d89b10f9faa19e8f4e952663697ec126f2e2121"}
 
 [dev-dependencies]
 oci-spec = { git = "https://github.com/utam0k/oci-spec-rs/", tag = "v0.4.0-with-bugfix", features = ["proptests"] }

diff --git a/README.md b/README.md
@@ -75,7 +75,8 @@ $ sudo apt-get install   \
       libsystemd-dev     \
       libdbus-glib-1-dev \
       build-essential    \
-      libelf-dev
+      libelf-dev \
+      libseccomp-dev
 ```
 
 ### Fedora, Centos, RHEL and related distributions
@@ -86,6 +87,7 @@ $ sudo dnf install   \
       systemd-devel  \
       dbus-devel     \
       elfutils-libelf-devel \
+      libseccomp-devel
 ```
 
 ## Build

diff --git a/src/lib.rs b/src/lib.rs
@@ -9,6 +9,7 @@ pub mod notify_socket;
 pub mod process;
 pub mod rootfs;
 pub mod rootless;
+pub mod seccomp;
 pub mod signal;
 pub mod syscall;
 pub mod tty;

diff --git a/src/process/init.rs b/src/process/init.rs
@@ -1,3 +1,8 @@
+use super::args::ContainerArgs;
+use crate::{
+    capabilities, hooks, namespaces::Namespaces, process::channel, rootfs, rootless::Rootless,
+    seccomp, syscall::Syscall, tty, utils,
+};
 use anyhow::{bail, Context, Result};
 use nix::mount::mount as nix_mount;
 use nix::mount::MsFlags;
@@ -9,17 +14,12 @@ use nix::{
 };
 use oci_spec::runtime::{LinuxNamespaceType, User};
 use std::collections::HashMap;
-use std::{env, os::unix::io::AsRawFd};
-use std::{fs, path::Path, path::PathBuf};
-
-use crate::rootless::Rootless;
-use crate::{
-    capabilities, hooks, namespaces::Namespaces, process::channel, rootfs, syscall::Syscall, tty,
-    utils,
+use std::{
+    env, fs,
+    os::unix::io::AsRawFd,
+    path::{Path, PathBuf},
 };
 
-use super::args::ContainerArgs;
-
 // Make sure a given path is on procfs. This is to avoid the security risk that
 // /proc path is mounted over. Ref: CVE-2019-16884
 fn ensure_procfs(path: &Path) -> Result<()> {
@@ -377,6 +377,10 @@ pub fn container_init(
         }
     }
 
+    // Initialize seccomp profile right before we are ready to execute the
+    // payload. The notify socket will still need network related syscalls.
+    seccomp::initialize_seccomp(linux.seccomp.as_ref()).context("Failed to execute seccomp")?;
+
     if let Some(args) = proc.args.as_ref() {
         utils::do_exec(&args[0], args)?;
     } else {