Skip to content

api: add seccomp adjustment #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jul 14, 2025
Merged

api: add seccomp adjustment #123

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7448ebb
api,adaptation: pass container seccomp profile to plugins.
klihub Jun 23, 2025
b315f77
api: add seccomp adjustment
tych0 Nov 20, 2024
bfb171d
default-validator: allow restricting seccomp policy adjustment.
klihub Jun 12, 2025
6029cda
adaptation: add tests for seccomp policy adjustment.
klihub Jun 26, 2025
8f2af44
docs: update README.md for Linux seccomp adjustment.
klihub Jun 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 15 additions & 7 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,7 @@ The following pieces of container metadata are available to plugins in NRI:
- cpuset memory
- Block I/O class
- RDT class
- Linux seccomp profile and policy
- container (init) process ID
- container (init process) exit status
- timestamp of container creation
Expand Down Expand Up @@ -252,6 +253,7 @@ container parameters:
- cpuset memory
- Block I/O class
- RDT class
- Linux seccomp policy

### Container Updates

Expand Down Expand Up @@ -341,11 +343,17 @@ selectively configured to
1. Reject OCI Hook injection: Reject any adjustment which tries to inject
OCI Hooks into a container.

2. Verify global mandatory plugins: Verify that all configured mandatory
2. Reject Linux seccomp policy adjustment: Reject any adjustment which tries
to set/override Linux seccomp policy of a container. There are separate controls
for rejecting adjustment of the seccomp policy profile based on the type of policy
profile set for the container. These types include the runtime default seccomp
policy profile, a custom policy profile, and unconfined security profiles.

3. Verify global mandatory plugins: Verify that all configured mandatory
plugins are present and have processed a container. Otherwise reject the
creation of the container.

3. Verify annotated mandatory plugins: Verify that an annotated set of
4. Verify annotated mandatory plugins: Verify that an annotated set of
container-specific mandatory plugins are present and have processed a
container. Otherwise reject the creation of the container.

Expand All @@ -354,11 +362,11 @@ allows one to deploy mandatory plugins as containers themselves.

#### Default Validation Scope

Currently only OCI hook injection can be restricted using the default
validator. However, this probably will change in the future. Especially
when NRI is extended with control over new container parameters. If such
parameters will have security implications, corresponding configurable
restrictions will be introduced to the default validator.
Currently only OCI hook injection and Linux seccomp policy can be restricted
using the default validator. However, this probably will change in the future.
Especially when NRI is extended with control over more container parameters.
If newly added controls will have security implications, expect corresponding
configurable restrictions in the default validator.

## Runtime Adaptation

Expand Down
Loading
Loading