kailun-qin
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 4 additions & 1 deletion b/‎Makefile‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎contrib/cmd/seccompagent/README.md‎
Lines changed: 62 additions & 0 deletions b/‎contrib/cmd/seccompagent/README.md‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎contrib/cmd/seccompagent/config.json‎
Lines changed: 197 additions & 0 deletions b/‎contrib/cmd/seccompagent/config.json‎
Lines changed: 197 additions & 0 deletions
@@ -3,6 +3,7 @@ vendor/pkg
 /runc-*
 contrib/cmd/recvtty/recvtty
 contrib/cmd/sd-helper/sd-helper
+contrib/cmd/seccompagent/seccompagent
 man/man8
 release
 Vagrantfile
 
@@ -30,11 +30,14 @@ GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(B
 runc:
 	$(GO_BUILD) -o runc .
 
-all: runc recvtty sd-helper
+all: runc recvtty sd-helper seccompagent
 
 recvtty sd-helper:
 	$(GO_BUILD) -o contrib/cmd/$@/$@ ./contrib/cmd/$@
 
+seccompagent:
+	$(GO_BUILD) -o contrib/cmd/seccompagent/seccompagent ./contrib/cmd/seccompagent
+
 static:
 	$(GO_BUILD_STATIC) -o runc .
 	$(GO_BUILD_STATIC) -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
 
@@ -0,0 +1,62 @@
+# Seccomp Agent
+
+## Warning
+
+Please note this is an example agent, as such it is possible that specially
+crafted messages can produce bad behaviour. Please use it as an example only.
+
+Also, this agent is used for integration tests. Be aware that changing the
+behaviour can break the integration tests.
+
+## Get started
+
+Compile runc and seccompagent:
+```bash
+make all
+```
+
+Run the seccomp agent in the background:
+```bash
+sudo ./contrib/cmd/seccompagent/seccompagent &
+```
+
+Prepare a container:
+```bash
+mkdir container-seccomp-notify
+cd container-seccomp-notify
+mkdir rootfs
+docker export $(docker create busybox) | tar -C rootfs -xvf -
+```
+
+Copy the example `config.json` file from the directory where this README.md is
+to the container directory you prepared earlier (`container-seccomp-notify`).
+This is a config.json as generated by `runc spec` at time of writing, with only
+the `args` and `seccomp` sections modified.
+
+Then start the container:
+```bash
+runc run mycontainerid
+```
+
+The container will output something like this:
+```bash
++ cd /dev/shm
++ mkdir test-dir
++ touch test-file
++ chmod 777 test-file
+chmod: changing permissions of 'test-file': No medium found
++ ls -l /dev/shm
+total 0
+drwxr-xr-x 2 root root 40 Jul 21 14:09 test-dir-foo
+-rw-r--r-- 1 root root  0 Jul 21 14:09 test-file
++ echo Note the agent added a suffix for the directory name and chmod fails
+Note the agent added a suffix for the directory name and chmod fails
+```
+
+This shows a simple example that runs in /dev/shm just because it is a tmpfs in
+the example config.json.
+
+The agent makes all chmod calls fail with ENOMEDIUM, as the example output shows.
+
+For mkdir, the agent adds a "-foo" suffix: the container runs "mkdir test-dir"
+but the directory created is "test-dir-foo".
@@ -0,0 +1,197 @@
+{
+	"ociVersion": "1.0.2-dev",
+	"process": {
+		"terminal": true,
+		"user": {
+			"uid": 0,
+			"gid": 0
+		},
+		"args": [
+			"sh",
+			"-c",
+			"set -x; cd /dev/shm; mkdir test-dir; touch test-file; chmod 777 test-file; ls -l /dev/shm; echo \"Note the agent added a suffix for the directory name and chmod fails\" "
+		],
+		"env": [
+			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+			"TERM=xterm"
+		],
+		"cwd": "/",
+		"capabilities": {
+			"bounding": [
+				"CAP_AUDIT_WRITE",
+				"CAP_KILL",
+				"CAP_NET_BIND_SERVICE"
+			],
+			"effective": [
+				"CAP_AUDIT_WRITE",
+				"CAP_KILL",
+				"CAP_NET_BIND_SERVICE"
+			],
+			"inheritable": [
+				"CAP_AUDIT_WRITE",
+				"CAP_KILL",
+				"CAP_NET_BIND_SERVICE"
+			],
+			"permitted": [
+				"CAP_AUDIT_WRITE",
+				"CAP_KILL",
+				"CAP_NET_BIND_SERVICE"
+			],
+			"ambient": [
+				"CAP_AUDIT_WRITE",
+				"CAP_KILL",
+				"CAP_NET_BIND_SERVICE"
+			]
+		},
+		"rlimits": [
+			{
+				"type": "RLIMIT_NOFILE",
+				"hard": 1024,
+				"soft": 1024
+			}
+		],
+		"noNewPrivileges": true
+	},
+	"root": {
+		"path": "rootfs",
+		"readonly": true
+	},
+	"hostname": "runc",
+	"mounts": [
+		{
+			"destination": "/proc",
+			"type": "proc",
+			"source": "proc"
+		},
+		{
+			"destination": "/dev",
+			"type": "tmpfs",
+			"source": "tmpfs",
+			"options": [
+				"nosuid",
+				"strictatime",
+				"mode=755",
+				"size=65536k"
+			]
+		},
+		{
+			"destination": "/dev/pts",
+			"type": "devpts",
+			"source": "devpts",
+			"options": [
+				"nosuid",
+				"noexec",
+				"newinstance",
+				"ptmxmode=0666",
+				"mode=0620",
+				"gid=5"
+			]
+		},
+		{
+			"destination": "/dev/shm",
+			"type": "tmpfs",
+			"source": "shm",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"mode=1777",
+				"size=65536k"
+			]
+		},
+		{
+			"destination": "/dev/mqueue",
+			"type": "mqueue",
+			"source": "mqueue",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev"
+			]
+		},
+		{
+			"destination": "/sys",
+			"type": "sysfs",
+			"source": "sysfs",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"ro"
+			]
+		},
+		{
+			"destination": "/sys/fs/cgroup",
+			"type": "cgroup",
+			"source": "cgroup",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"relatime",
+				"ro"
+			]
+		}
+	],
+	"linux": {
+		"seccomp": {
+			"defaultAction": "SCMP_ACT_ALLOW",
+			"listenerPath": "/run/seccomp-agent.socket",
+			"listenerMetadata": "foo",
+			"architectures": [ "SCMP_ARCH_X86", "SCMP_ARCH_X32" ],
+			"syscalls": [
+				{
+					"names": [ "chmod", "fchmod", "fchmodat", "mkdir" ],
+					"action": "SCMP_ACT_NOTIFY"
+				}
+			]
+		},
+		"resources": {
+			"devices": [
+				{
+					"allow": false,
+					"access": "rwm"
+				}
+			]
+		},
+		"namespaces": [
+			{
+				"type": "pid"
+			},
+			{
+				"type": "network"
+			},
+			{
+				"type": "ipc"
+			},
+			{
+				"type": "uts"
+			},
+			{
+				"type": "mount"
+			},
+			{
+				"type": "cgroup"
+			}
+		],
+		"maskedPaths": [
+			"/proc/acpi",
+			"/proc/asound",
+			"/proc/kcore",
+			"/proc/keys",
+			"/proc/latency_stats",
+			"/proc/timer_list",
+			"/proc/timer_stats",
+			"/proc/sched_debug",
+			"/sys/firmware",
+			"/proc/scsi"
+		],
+		"readonlyPaths": [
+			"/proc/bus",
+			"/proc/fs",
+			"/proc/irq",
+			"/proc/sys",
+			"/proc/sysrq-trigger"
+		]
+	}
+}