Merge pull request #292 from yihuaf/yihuaf/seccomp

Implemented seccomp and pass the integration test

.github/workflows/main.yml

@@ -43,7 +43,7 @@ jobs:
           working-directory: ./cgroups
       - run: rustup component add rustfmt clippy
       - run: sudo apt-get -y update
-      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev
+      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev
       - name: Check formatting
         run: cargo fmt --all -- --check
         working-directory: ${{matrix.dirs}}
@@ -68,7 +68,7 @@ jobs:
         with:
           working-directory: ./cgroups
       - run: sudo apt-get -y update
-      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev
+      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev
       - name: Run tests
         run: cargo test --all --all-features --no-fail-fast
   coverage:
@@ -98,7 +98,7 @@ jobs:
       - name: Update System Libraries
         run: sudo apt-get -y update
       - name: Install System Libraries
-        run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev
+        run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev
       - name: Run Test Coverage for youki
         run: |
           cargo llvm-cov clean --workspace
@@ -143,7 +143,7 @@ jobs:
         with:
           working-directory: ./cgroups
       - run: sudo apt-get -y update
-      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev
+      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev
       - name: Build
         run: ./build.sh --release
       - uses: actions/setup-go@v2

Cargo.toml

@@ -8,6 +8,7 @@ description = "A container runtime written in Rust"
 [workspace]
 members = [
     "cgroups",
+    "seccomp",
 ]
 
 [features]
@@ -41,6 +42,7 @@ dbus = "0.9.2"
 tabwriter = "1"
 fastrand = "1.4.1"
 crossbeam-channel = "0.5"
+seccomp = { version = "0.1.0", path = "./seccomp" }
 
 [dev-dependencies]
 oci-spec = { git = "https://github.com/utam0k/oci-spec-rs/", tag = "v0.4.0-with-bugfix", features = ["proptests"] }

README.md

@@ -75,7 +75,8 @@ $ sudo apt-get install   \
       libsystemd-dev     \
       libdbus-glib-1-dev \
       build-essential    \
-      libelf-dev
+      libelf-dev \
+      libseccomp-dev
 ```
 
 ### Fedora, Centos, RHEL and related distributions
@@ -86,6 +87,7 @@ $ sudo dnf install   \
       systemd-devel  \
       dbus-devel     \
       elfutils-libelf-devel \
+      libseccomp-devel
 ```
 
 ## Build

integration_test.sh

@@ -48,7 +48,7 @@ test_cases=(
   # "linux_process_apparmor_profile/linux_process_apparmor_profile.t"
   "linux_readonly_paths/linux_readonly_paths.t"
   # "linux_rootfs_propagation/linux_rootfs_propagation.t"
-  # "linux_seccomp/linux_seccomp.t"
+  "linux_seccomp/linux_seccomp.t"
   "linux_sysctl/linux_sysctl.t"
   "linux_uid_mappings/linux_uid_mappings.t"
   "misc_props/misc_props.t"

seccomp/Cargo.toml

@@ -0,0 +1,9 @@
+[package]
+name = "seccomp"
+version = "0.1.0"
+edition = "2018"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+libc = "0.2.84"

seccomp/README.md

@@ -0,0 +1,11 @@
+# Bindings to libseccomp
+
+This crate contains a rust FFI binding to
+[libseccomp](https://github.com/seccomp/libseccomp).
+
+The code is adapted from auto generated code using
+[rust-bindgen](https://github.com/rust-lang/rust-bindgen). The `rust-bindgen`
+has some issue with detecting function macro, which `libseccomp` uses. We
+decided to manually fix the issue and include the bindings in this crate.
+
+The header file used: <https://github.com/seccomp/libseccomp/blob/main/include/seccomp.h.in>