add seccomp support

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

test/helpers.bash

@@ -17,6 +17,8 @@ OCIC_BINARY=${OCIC_BINARY:-${OCID_ROOT}/cri-o/ocic}
 CONMON_BINARY=${CONMON_BINARY:-${OCID_ROOT}/cri-o/conmon/conmon}
 # Path of the pause binary.
 PAUSE_BINARY=${PAUSE_BINARY:-${OCID_ROOT}/cri-o/pause/pause}
+# Path of the default seccomp profile
+SECCOMP_PROFILE=${SECCOMP_PROFILE:-${OCID_ROOT}/cri-o/seccomp.json}
 # Path of the runc binary.
 RUNC_PATH=$(command -v runc || true)
 RUNC_BINARY=${RUNC_PATH:-/usr/local/sbin/runc}
@@ -78,7 +80,13 @@ function wait_until_reachable() {
 
 # Start ocid.
 function start_ocid() {
-	"$OCID_BINARY" --conmon "$CONMON_BINARY" --pause "$PAUSE_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNC_BINARY" --root "$TESTDIR/ocid" --sandboxdir "$TESTDIR/sandboxes" --containerdir "$TESTDIR/ocid/containers" config >$OCID_CONFIG
+	"$OCID_BINARY" --conmon "$CONMON_BINARY" --pause "$PAUSE_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNC_BINARY" --root "$TESTDIR/ocid" --sandboxdir "$TESTDIR/sandboxes" --containerdir "$TESTDIR/ocid/containers" --seccomp-profile "$SECCOMP_PROFILE" config >$OCID_CONFIG
+	"$OCID_BINARY" --debug --config "$OCID_CONFIG" & OCID_PID=$!
+	wait_until_reachable
+}
+
+function start_ocid_with_seccomp_path() {
+	"$OCID_BINARY" --conmon "$CONMON_BINARY" --pause "$PAUSE_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNC_BINARY" --root "$TESTDIR/ocid" --sandboxdir "$TESTDIR/sandboxes" --containerdir "$TESTDIR/ocid/containers" --seccomp-profile "$1" config >$OCID_CONFIG
 	"$OCID_BINARY" --debug --config "$OCID_CONFIG" & OCID_PID=$!
 	wait_until_reachable
 }
@@ -89,7 +97,7 @@ function cleanup_ctrs() {
 		if [ "$output" != "" ]; then
 			printf '%s\n' "$output" | while IFS= read -r line
 			do
-			   ocic ctr stop --id "$line"
+			   ocic ctr stop --id "$line" || true
 			   ocic ctr remove --id "$line"
 			done
 		fi
@@ -102,7 +110,7 @@ function cleanup_pods() {
 		if [ "$output" != "" ]; then
 			printf '%s\n' "$output" | while IFS= read -r line
 			do
-			   ocic pod stop --id "$line"
+			   ocic pod stop --id "$line" || true
 			   ocic pod remove --id "$line"
 			done
 		fi

test/seccomp.bats

@@ -0,0 +1,307 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function teardown() {
+	cleanup_test
+}
+
+# 1. test running with ctr unconfined
+# test that we can run with a syscall which would be otherwise blocked
+@test "ctr seccomp profiles unconfined" {
+	# this test requires docker, thus it can't yet be run in a container
+	if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
+		skip "cannot yet run this test in a container, use sudo make localintegration"
+	fi
+
+	sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
+	start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json
+
+	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.ocid-seccomp1-1-testname-0": "unconfined"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp1.json
+	run ocic pod create --name seccomp1 --config "$TESTDIR"/seccomp1.json
+	echo "$output"
+	[ "$status" -eq 0 ]
+	pod_id="$output"
+	run ocic ctr create --name testname --config "$TESTDATA"/container_redis.json --pod "$pod_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	ctr_id="$output"
+	run ocic ctr start --id "$ctr_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	run ocic ctr execsync --id "$ctr_id" chmod 777 .
+	echo "$output"
+	[ "$status" -eq 0 ]
+
+	cleanup_ctrs
+	cleanup_pods
+	stop_ocid
+}
+
+# 2. test running with ctr runtime/default
+# test that we cannot run with a syscall blocked by the default seccomp profile
+@test "ctr seccomp profiles runtime/default" {
+	# this test requires docker, thus it can't yet be run in a container
+	if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
+		skip "cannot yet run this test in a container, use sudo make localintegration"
+	fi
+
+	sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
+	start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json
+
+	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.ocid-seccomp2-1-testname2-0": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json
+	run ocic pod create --name seccomp2 --config "$TESTDIR"/seccomp2.json
+	echo "$output"
+	[ "$status" -eq 0 ]
+	pod_id="$output"
+	run ocic ctr create --name testname2 --config "$TESTDATA"/container_redis.json --pod "$pod_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	ctr_id="$output"
+	run ocic ctr start --id "$ctr_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	run ocic ctr execsync --id "$ctr_id" chmod 777 .
+	echo "$output"
+	[ "$status" -ne 0 ]
+	[[ "$output" =~ "Operation not permitted" ]]
+
+	cleanup_ctrs
+	cleanup_pods
+	stop_ocid
+}
+
+# 3. test running with ctr wrong profile name
+@test "ctr seccomp profiles wrong profile name" {
+	# this test requires docker, thus it can't yet be run in a container
+	if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
+		skip "cannot yet run this test in a container, use sudo make localintegration"
+	fi
+
+	sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
+	start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json
+
+	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.ocid-seccomp3-1-testname3-1": "notgood"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp3.json
+	run ocic pod create --name seccomp3 --config "$TESTDIR"/seccomp3.json
+	echo "$output"
+	[ "$status" -eq 0 ]
+	pod_id="$output"
+	run ocic ctr create --name testname3 --config "$TESTDATA"/container_config.json --pod "$pod_id"
+	echo "$output"
+	[ "$status" -ne 0 ]
+	[[ "$output" =~ "unknown seccomp profile option:" ]]
+	[[ "$output" =~ "notgood" ]]
+
+	cleanup_ctrs
+	cleanup_pods
+	stop_ocid
+}
+
+# TODO(runcom): need https://issues.k8s.io/36997
+# 4. test running with ctr localhost/profile_name
+@test "ctr seccomp profiles localhost/profile_name" {
+	# this test requires docker, thus it can't yet be run in a container
+	if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
+		skip "cannot yet run this test in a container, use sudo make localintegration"
+	fi
+
+	#sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
+	#sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
+	#sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
+	#start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json
+
+	skip "need https://issues.k8s.io/36997"
+}
+
+# 5. test running with unkwown ctr profile falls back to pod profile
+# unknown ctr -> unconfined
+# pod -> runtime/default
+# result: fail chmod
+@test "ctr seccomp profiles falls back to pod profile" {
+	# this test requires docker, thus it can't yet be run in a container
+	if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
+		skip "cannot yet run this test in a container, use sudo make localintegration"
+	fi
+
+	sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
+	start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json
+
+	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.ocid-seccomp2-1-testname2-0-not-exists": "unconfined", "security\.alpha\.kubernetes\.io\/seccomp\/pod": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp5.json
+	run ocic pod create --name seccomp5 --config "$TESTDIR"/seccomp5.json
+	echo "$output"
+	[ "$status" -eq 0 ]
+	pod_id="$output"
+	run ocic ctr create --config "$TESTDATA"/container_redis.json --pod "$pod_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	ctr_id="$output"
+	run ocic ctr start --id "$ctr_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	run ocic ctr execsync --id "$ctr_id" chmod 777 .
+	echo "$output"
+	[ "$status" -ne 0 ]
+	[[ "$output" =~ "Operation not permitted" ]]
+
+	cleanup_ctrs
+	cleanup_pods
+	stop_ocid
+}
+
+# 6. test running with unkwown ctr profile and no pod, falls back to unconfined
+# unknown ctr -> runtime/default
+# pod -> NO
+# result: success, running unconfined
+@test "ctr seccomp profiles falls back to unconfined" {
+	# this test requires docker, thus it can't yet be run in a container
+	if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
+		skip "cannot yet run this test in a container, use sudo make localintegration"
+	fi
+
+	sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
+	start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json
+
+	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.ocid-seccomp6-1-testname6-0-not-exists": "runtime-default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp6.json
+	run ocic pod create --name seccomp6 --config "$TESTDIR"/seccomp6.json
+	echo "$output"
+	[ "$status" -eq 0 ]
+	pod_id="$output"
+	run ocic ctr create --name testname6 --config "$TESTDATA"/container_redis.json --pod "$pod_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	ctr_id="$output"
+	run ocic ctr start --id "$ctr_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	run ocic ctr execsync --id "$ctr_id" chmod 777 .
+	echo "$output"
+	[ "$status" -eq 0 ]
+
+	cleanup_ctrs
+	cleanup_pods
+	stop_ocid
+}
+
+# 1. test running with pod unconfined
+# test that we can run with a syscall which would be otherwise blocked
+@test "pod seccomp profiles unconfined" {
+	# this test requires docker, thus it can't yet be run in a container
+	if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
+		skip "cannot yet run this test in a container, use sudo make localintegration"
+	fi
+
+	sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
+	start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json
+
+	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/pod": "unconfined"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp1.json
+	run ocic pod create --name seccomp1 --config "$TESTDIR"/seccomp1.json
+	echo "$output"
+	[ "$status" -eq 0 ]
+	pod_id="$output"
+	run ocic ctr create --config "$TESTDATA"/container_redis.json --pod "$pod_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	ctr_id="$output"
+	run ocic ctr start --id "$ctr_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	run ocic ctr execsync --id "$ctr_id" chmod 777 .
+	echo "$output"
+	[ "$status" -eq 0 ]
+
+	cleanup_ctrs
+	cleanup_pods
+	stop_ocid
+}
+
+# 2. test running with pod runtime/default
+# test that we cannot run with a syscall blocked by the default seccomp profile
+@test "pod seccomp profiles runtime/default" {
+	# this test requires docker, thus it can't yet be run in a container
+	if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
+		skip "cannot yet run this test in a container, use sudo make localintegration"
+	fi
+
+	sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
+	start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json
+
+	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/pod": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json
+	run ocic pod create --name seccomp2 --config "$TESTDIR"/seccomp2.json
+	echo "$output"
+	[ "$status" -eq 0 ]
+	pod_id="$output"
+	run ocic ctr create --config "$TESTDATA"/container_redis.json --pod "$pod_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	ctr_id="$output"
+	run ocic ctr start --id "$ctr_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	run ocic ctr execsync --id "$ctr_id" chmod 777 .
+	echo "$output"
+	[ "$status" -ne 0 ]
+	[[ "$output" =~ "Operation not permitted" ]]
+
+	cleanup_ctrs
+	cleanup_pods
+	stop_ocid
+}
+
+# 3. test running with pod wrong profile name
+@test "pod seccomp profiles wrong profile name" {
+	# this test requires docker, thus it can't yet be run in a container
+	if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
+		skip "cannot yet run this test in a container, use sudo make localintegration"
+	fi
+
+	sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
+	start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json
+
+	# 3. test running with pod wrong profile name
+	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/pod": "notgood"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp3.json
+	run ocic pod create --name seccomp3 --config "$TESTDIR"/seccomp3.json
+	echo "$output"
+	[ "$status" -eq 0 ]
+	pod_id="$output"
+	run ocic ctr create --config "$TESTDATA"/container_config.json --pod "$pod_id"
+	echo "$output"
+	[ "$status" -ne 0 ]
+	[[ "$output" =~ "unknown seccomp profile option:" ]]
+	[[ "$output" =~ "notgood" ]]
+
+	cleanup_ctrs
+	cleanup_pods
+	stop_ocid
+}
+
+# TODO(runcom): need https://issues.k8s.io/36997
+# 4. test running with pod localhost/profile_name
+@test "pod seccomp profiles localhost/profile_name" {
+	# this test requires docker, thus it can't yet be run in a container
+	if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
+		skip "cannot yet run this test in a container, use sudo make localintegration"
+	fi
+
+	#sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
+	#sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
+	#sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
+	#start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json
+
+	skip "need https://issues.k8s.io/36997"
+}

test/testdata/container_config_seccomp.json

@@ -0,0 +1,82 @@
+{
+	"metadata": {
+		"name": "container1",
+		"attempt": 1
+	},
+	"image": {
+		"image": "docker://redis:latest"
+	},
+	"command": [
+		"/bin/bash"
+	],
+	"args": [
+		"/bin/chmod", "777", "."
+	],
+	"working_dir": "/",
+	"envs": [
+		{
+			"key": "PATH",
+			"value": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+		},
+		{
+			"key": "TERM",
+			"value": "xterm"
+		},
+		{
+			"key": "TESTDIR",
+			"value": "test/dir1"
+		},
+		{
+			"key": "TESTFILE",
+			"value": "test/file1"
+		}
+	],
+	"labels": {
+		"type": "small",
+		"batch": "no"
+	},
+	"annotations": {
+		"owner": "dragon",
+		"daemon": "ocid"
+	},
+	"privileged": true,
+	"readonly_rootfs": true,
+	"log_path": "container.log",
+	"stdin": false,
+	"stdin_once": false,
+	"tty": false,
+	"linux": {
+		"resources": {
+			"cpu_period": 10000,
+			"cpu_quota": 20000,
+			"cpu_shares": 512,
+			"memory_limit_in_bytes": 88000000,
+			"oom_score_adj": 30
+		},
+		"capabilities": {
+			"add_capabilities": [
+				"setuid",
+				"setgid"
+			],
+			"drop_capabilities": [
+				"audit_write",
+				"audit_read"
+			]
+		},
+		"selinux_options": {
+			"user": "system_u",
+			"role": "system_r",
+			"type": "svirt_lxc_net_t",
+			"level": "s0:c4-c5"
+		},
+		"user": {
+			"uid": 5,
+			"gid": 300,
+			"additional_gids": [
+				400,
+				401,
+				402
+			]
+		}
+	}
+}

test/testdata/sandbox_config.json

@@ -48,7 +48,8 @@
 	"annotations": {
 		"owner": "hmeng",
 		"security.alpha.kubernetes.io/sysctls": "kernel.shm_rmid_forced=1,net.ipv4.ip_local_port_range=1024 65000",
-		"security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" 
+		"security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" ,
+		"security.alpha.kubernetes.io/seccomp/pod": "unconfined"
 	},
 	"linux": {
 		"cgroup_parent": "podsandbox1.slice:container:infra",

test/testdata/sandbox_config_seccomp.json

@@ -0,0 +1,60 @@
+{
+	"metadata": {
+		"name": "podsandbox1",
+		"uid": "redhat-test-ocid",
+		"namespace": "redhat.test.ocid",
+		"attempt": 1
+	},
+	"hostname": "ocic_host",
+	"log_directory": ".",
+	"dns_options": {
+		"servers": [
+			"server1.redhat.com",
+			"server2.redhat.com"
+		],
+		"searches": [
+			"8.8.8.8"
+		]
+	},
+	"port_mappings": [
+		{
+			"name": "port_map1",
+			"protocol": 1,
+			"container_port": 80,
+			"host_port": 4888,
+			"host_ip": "192.168.0.33"
+		},
+		{
+			"name": "port_map2",
+			"protocol": 2,
+			"container_port": 81,
+			"host_port": 4889,
+			"host_ip": "192.168.0.33"
+		}
+	],
+	"resources": {
+		"cpu": {
+			"limits": 3,
+			"requests": 2
+		},
+		"memory": {
+			"limits": 50000000,
+			"requests": 2000000
+		}
+	},
+	"labels": {
+		"group": "test"
+	},
+	"annotations": {
+		"owner": "hmeng"
+		%VALUE%
+	},
+	"linux": {
+		"cgroup_parent": "podsandbox1.slice:container:infra",
+		"namespace_options": {
+			"host_network": false,
+			"host_pid": false,
+			"host_ipc": false
+		}
+	}
+}