seccompagent

README

Seccomp Agent

Warning

Please note this is an example agent, as such it is possible that specially crafted messages can produce bad behaviour. Please use it as an example only.

Also, this agent is used for integration tests. Be aware that changing the behaviour can break the integration tests.

Get started

Compile runc and seccompagent:

make all

Run the seccomp agent in the background:

sudo ./contrib/cmd/seccompagent/seccompagent &

Prepare a container:

mkdir container-seccomp-notify
cd container-seccomp-notify
mkdir rootfs
docker export $(docker create busybox) | tar -C rootfs -xvf -

Then, generate a config.json by running the script gen-seccomp-example-cfg.sh from the directory where this README.md is in the container directory you prepared earlier (container-seccomp-notify).

Then start the container:

runc run mycontainerid

The container will output something like this:

+ cd /dev/shm
+ mkdir test-dir
+ touch test-file
+ chmod 777 test-file
chmod: changing permissions of 'test-file': No medium found
+ stat /dev/shm/test-dir-foo
  File: /dev/shm/test-dir-foo
  Size: 40        	Blocks: 0          IO Block: 4096   directory
Device: 3eh/62d	Inode: 2           Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-09-09 15:03:13.043716040 +0000
Modify: 2021-09-09 15:03:13.043716040 +0000
Change: 2021-09-09 15:03:13.043716040 +0000
 Birth: -
+ ls -l /dev/shm
total 0
drwxr-xr-x 2 root root 40 Sep  9 15:03 test-dir-foo
-rw-r--r-- 1 root root  0 Sep  9 15:03 test-file
+ echo Note the agent added a suffix for the directory name and chmod fails
Note the agent added a suffix for the directory name and chmod fails

This shows a simple example that runs in /dev/shm just because it is a tmpfs in the example config.json.

The agent makes all chmod calls fail with ENOMEDIUM, as the example output shows.

For mkdir, the agent adds a "-foo" suffix: the container runs "mkdir test-dir" but the directory created is "test-dir-foo".