Implemented seccomp and pass the integration test

.github/workflows/main.yml

@@ -43,7 +43,7 @@ jobs:
           working-directory: ./cgroups
       - run: rustup component add rustfmt clippy
       - run: sudo apt-get -y update
-      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev
+      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev
       - name: Check formatting
         run: cargo fmt --all -- --check
         working-directory: ${{matrix.dirs}}
@@ -68,7 +68,7 @@ jobs:
         with:
           working-directory: ./cgroups
       - run: sudo apt-get -y update
-      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev
+      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev
       - name: Run tests
         run: cargo test --all --all-features --no-fail-fast
   coverage:
@@ -98,7 +98,7 @@ jobs:
       - name: Update System Libraries
         run: sudo apt-get -y update
       - name: Install System Libraries
-        run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev
+        run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev
       - name: Run Test Coverage for youki
         run: |
           cargo llvm-cov clean --workspace
@@ -143,7 +143,7 @@ jobs:
         with:
           working-directory: ./cgroups
       - run: sudo apt-get -y update
-      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev
+      - run: sudo apt-get install -y pkg-config libsystemd-dev libdbus-glib-1-dev libelf-dev libseccomp-dev
       - name: Build
         run: ./build.sh --release
       - uses: actions/setup-go@v2

Cargo.toml

@@ -41,6 +41,7 @@ dbus = "0.9.2"
 tabwriter = "1"
 fastrand = "1.4.1"
 crossbeam-channel = "0.5"
+seccomp-sys = { git = "https://github.com/polachok/seccomp-sys.git", rev = "9d89b10f9faa19e8f4e952663697ec126f2e2121"}
 
 [dev-dependencies]
 oci-spec = { git = "https://github.com/utam0k/oci-spec-rs/", tag = "v0.4.0-with-bugfix", features = ["proptests"] }

README.md

@@ -75,7 +75,8 @@ $ sudo apt-get install   \
       libsystemd-dev     \
       libdbus-glib-1-dev \
       build-essential    \
-      libelf-dev
+      libelf-dev \
+      libseccomp-dev
 ```
 
 ### Fedora, Centos, RHEL and related distributions
@@ -86,6 +87,7 @@ $ sudo dnf install   \
       systemd-devel  \
       dbus-devel     \
       elfutils-libelf-devel \
+      libseccomp-devel
 ```
 
 ## Build

integration_test.sh

@@ -48,7 +48,7 @@ test_cases=(
   # "linux_process_apparmor_profile/linux_process_apparmor_profile.t"
   "linux_readonly_paths/linux_readonly_paths.t"
   # "linux_rootfs_propagation/linux_rootfs_propagation.t"
-  # "linux_seccomp/linux_seccomp.t"
+  "linux_seccomp/linux_seccomp.t"
   "linux_sysctl/linux_sysctl.t"
   "linux_uid_mappings/linux_uid_mappings.t"
   "misc_props/misc_props.t"

src/lib.rs

@@ -9,6 +9,7 @@ pub mod notify_socket;
 pub mod process;
 pub mod rootfs;
 pub mod rootless;
+pub mod seccomp;
 pub mod signal;
 pub mod syscall;
 pub mod tty;

src/process/init.rs

@@ -1,3 +1,8 @@
+use super::args::ContainerArgs;
+use crate::{
+    capabilities, hooks, namespaces::Namespaces, process::channel, rootfs, rootless::Rootless,
+    seccomp, syscall::Syscall, tty, utils,
+};
 use anyhow::{bail, Context, Result};
 use nix::mount::mount as nix_mount;
 use nix::mount::MsFlags;
@@ -9,17 +14,12 @@ use nix::{
 };
 use oci_spec::runtime::{LinuxNamespaceType, User};
 use std::collections::HashMap;
-use std::{env, os::unix::io::AsRawFd};
-use std::{fs, path::Path, path::PathBuf};
-
-use crate::rootless::Rootless;
-use crate::{
-    capabilities, hooks, namespaces::Namespaces, process::channel, rootfs, syscall::Syscall, tty,
-    utils,
+use std::{
+    env, fs,
+    os::unix::io::AsRawFd,
+    path::{Path, PathBuf},
 };
 
-use super::args::ContainerArgs;
-
 // Make sure a given path is on procfs. This is to avoid the security risk that
 // /proc path is mounted over. Ref: CVE-2019-16884
 fn ensure_procfs(path: &Path) -> Result<()> {
@@ -299,6 +299,14 @@ pub fn container_init(
         .set_id(Uid::from_raw(proc.user.uid), Gid::from_raw(proc.user.gid))
         .context("Failed to configure uid and gid")?;
 
+    // Without no new privileges, seccomp is a privileged operation. We have to
+    // do this before dropping capabilities. Otherwise, we should do it later,
+    // as close to exec as possible.
+    if linux.seccomp.is_some() && proc.no_new_privileges.is_none() {
+        seccomp::initialize_seccomp(linux.seccomp.as_ref().unwrap())
+            .context("Failed to execute seccomp")?;
+    }
+
     capabilities::reset_effective(command).context("Failed to reset effective capabilities")?;
     if let Some(caps) = &proc.capabilities {
         capabilities::drop_privileges(caps, command).context("Failed to drop capabilities")?;
@@ -377,6 +385,13 @@ pub fn container_init(
         }
     }
 
+    if linux.seccomp.is_some() && proc.no_new_privileges.is_some() {
+        // Initialize seccomp profile right before we are ready to execute the
+        // payload. The notify socket will still need network related syscalls.
+        seccomp::initialize_seccomp(linux.seccomp.as_ref().unwrap())
+            .context("Failed to execute seccomp")?;
+    }
+
     if let Some(args) = proc.args.as_ref() {
         utils::do_exec(&args[0], args)?;
     } else {