CoCalc -- main.go

GitHub Repository: gitpod-io/gitpod
Path: blob/main/components/ws-daemon/seccomp-profile-installer/main.go
²⁴⁹⁸ views
1
// Copyright (c) 2020 Gitpod GmbH. All rights reserved.
2
// Licensed under the GNU Affero General Public License (AGPL).
3
// See License.AGPL.txt in the project root for license information.
4

5
package main
6

7
import (
8
	"encoding/json"
9
	"log"
10
	"os"
11

12
	"github.com/containerd/containerd/contrib/seccomp"
13
	"github.com/opencontainers/runtime-spec/specs-go"
14
)
15

16
func main() {
17
	enc := json.NewEncoder(os.Stdout)
18
	enc.SetIndent("", "  ")
19
	enc.SetEscapeHTML(false)
20

21
	spec := specs.Spec{
22
		Process: &specs.Process{
23
			Capabilities: &specs.LinuxCapabilities{
24
				Bounding: os.Args[1:],
25
			},
26
		},
27
	}
28

29
	s := seccomp.DefaultProfile(&spec)
30
	s.Syscalls = append(s.Syscalls,
31
		specs.LinuxSyscall{
32
			Names: []string{
33
				"clone",
34
				"clone3",
35
				"mount",
36
				"umount2",
37
				"chroot",
38
				"pivot_root",
39
				"setdomainname",
40
				"sethostname",
41
				"unshare",
42
				"keyctl",
43
				"add_key",
44
				"request_key",
45
			},
46
			Action: specs.ActAllow,
47
		},
48

49
		// Running docker on a workspace requires setns
50
		// TODO(cw): find means to make this more precise, maybe an eBPF program that checks if
51
		//           arg zero is a child of this netns. The kernel already does that (from the setns(2) man page):
52
		//              In order to reassociate itself with a new network, IPC, time,
53
		//              or UTS namespace, the caller must have the CAP_SYS_ADMIN capa‐
54
		//              bility both in its own user namespace and in the user names‐
55
		//              pace that owns the target namespace.
56
		specs.LinuxSyscall{
57
			Names:  []string{"setns"},
58
			Action: specs.ActAllow,
59
		},
60
	)
61

62
	err := enc.Encode(s)
63
	if err != nil {
64
		log.Fatalf("cannot marshal seccomp profile: %q", err)
65
	}
66
}
67

68
Product

Resources

Company
