docs: update seccomp documentation #4902
Conversation
libcontainer/SPEC.md
Outdated
| ``` | ||
|
|
||
| *TODO: seccomp work is being done to find a good default config* | ||
| *Seccomp filtering is supported with configurable default profiles* |
There was a problem hiding this comment.
Not sure what you mean with a configurable default profile. There is no default profile AFAIK.
Also, considering how extensive this doc tends to be, maybe we can add some example seccomp profile here?
There was a problem hiding this comment.
I was about to comment the same thing -- this is talking about the default configuration for runc, and we don't have a default seccomp profile. Upstream runtimes have their own profiles but we do not yet have a default one.
But yes, a better PR would be to provide an example (maybe just taking the Podman one? I wouldn't use the Docker one since it still suffers from the EPERM issue described in moby/moby#42871.).
osamakader
force-pushed
the
fix-outdated-seccomp-todo
branch
from
b9cb4c8 to
a221b17
Compare
libcontainer/SPEC.md
Outdated
|
|
||
| **Example seccomp profile:** | ||
| An example seccomp profile based on Podman's default configuration is available at: | ||
| [examples/seccomp/podman-default.json](../examples/seccomp/podman-default.json) |
There was a problem hiding this comment.
I don't think this JSON has to be put in the repo.
You can just put a hyperlink
There was a problem hiding this comment.
Also, OCI seccomp is different from libcontainer seccomp.
See how it is converted here
runc/libcontainer/specconv/spec_linux.go
Line 1139 in 00aec12
osamakader
changed the title
osamakader
force-pushed
the
fix-outdated-seccomp-todo
branch
2 times, most recently
from
06ea960 to
43b3b58
Compare
libcontainer/SPEC.md
Outdated
| Note: This is an OCI seccomp profile. Runc converts OCI seccomp profiles to libcontainer format | ||
| using the `SetupSeccomp` function in `libcontainer/specconv/spec_linux.go`. | ||
|
|
||
| **Example OCI seccomp format:** |
There was a problem hiding this comment.
A single example should suffice
osamakader
force-pushed
the
fix-outdated-seccomp-todo
branch
from
43b3b58 to
f14c63e
Compare
libcontainer/SPEC.md
Outdated
|
|
||
| Seccomp can be used to filter the syscalls a container can use. The filter used is quite expressive. For example, a filter can allow only a syscall when used with a specific parameter is allowed, change the errno returned or even forward it to a user-space agent to act on it. | ||
|
|
||
| Example OCI seccomp profile: |
There was a problem hiding this comment.
yes, I built runc with seccomp tag, used runc spec then added that profile to it, and ran a container successfully.
osamakader
force-pushed
the
fix-outdated-seccomp-todo
branch
from
f14c63e to
f7e6cdc
Compare
osamakader
force-pushed
the
fix-outdated-seccomp-todo
branch
from
f7e6cdc to
656677b
Compare
libcontainer/SPEC.md
Outdated
| The primary | ||
| use-case is to provide an explicit allow-list of syscalls for a container, to |
libcontainer/SPEC.md
Outdated
| libcontainer | ||
| does not currently provide a default filter, but higher-level runtimes tend to |
libcontainer/SPEC.md
Outdated
| libcontainer | ||
| does not currently provide a default filter, but higher-level runtimes tend to | ||
| define their own filters for use with runc. Here is an example OCI seccomp | ||
| profile (see *the runtime specification* *oci-runtime-seccomp* for more |
There was a problem hiding this comment.
I guess this is intended to be a link but it's broken?
libcontainer/SPEC.md
Outdated
| ``` | ||
|
|
||
| *TODO: seccomp work is being done to find a good default config* | ||
| **seccomp** can be used to apply filters to the system calls used in |
There was a problem hiding this comment.
Here you broke the link too.
What @cyphar showed with the [ ] is a markdown syntax to put links. You removed it, but we want it like that for the links :)
osamakader
force-pushed
the
fix-outdated-seccomp-todo
branch
from
656677b to
2fe8f87
Compare
|
Thanks @rata for the clarification. |
|
@cyphar changes are done. |
| OCI seccomp profile (see | ||
| [oci-runtime-seccomp](https://github.com/opencontainers/runtime-spec/blob/v1.2.1/config-linux.md#seccomp) | ||
| for more information on how to write your own filters) | ||
|
|
There was a problem hiding this comment.
This PR no longer contains an example?
There was a problem hiding this comment.
It refers only to the runtime spec example above only, yes.
There was a problem hiding this comment.
I'm going to update the commit and PR messages.
Replace outdated TODO comment with updated information about runc's seccomp support. Signed-off-by: Osama Abdelkader <[email protected]>
osamakader
force-pushed
the
fix-outdated-seccomp-todo
branch
from
2fe8f87 to
e7ea570
Compare
osamakader
changed the title
Update seccomp documentation.