Add spoc run command
#1534
Add spoc run command
#1534
Conversation
k8s-ci-robot
added
release-note
saschagrunert
force-pushed
the
run
branch
7 times, most recently
from
ce8a69e
to
0aedb2d
Compare
|
@kubernetes-sigs/security-profiles-operator-maintainers PTAL |
k8s-ci-robot
added
the
lgtm
|
/lgtm cancel Let's wait for another maintainer to review. |
k8s-ci-robot
removed
the
lgtm
| SetupSeccomp(*specs.LinuxSeccomp) (*configs.Seccomp, error) | ||
| InitSeccomp(*configs.Seccomp) (int, error) |
There was a problem hiding this comment.
It would be great if we could have a more generic API, in which we could send different types of security profile enforcer (seccomp, apparmor, selinux, etc..). But as this is internal, we can do that at a later stage.
| log.Print("Setting up seccomp") | ||
| libConfig, err := r.SetupSeccomp(runtimeSpecConfig) | ||
| if err != nil { | ||
| return fmt.Errorf("convert profile: %w", err) | ||
| } | ||
|
|
||
| log.Print("Load seccomp profile") | ||
| if _, err := r.InitSeccomp(libConfig); err != nil { | ||
| return fmt.Errorf("init profile: %w", err) | ||
| } |
There was a problem hiding this comment.
More for a follow-up: I am not sure the difference between Init and Setup. For other enforcers, maybe things like Init and Load, or Init and Enforce.
Assuming that the former initialises the enforcer and the latter actually applies it to the target application/process.
|
Great idea and implementation! Who needs ChatGPT when @saschagrunert is around! 🦾 🚀 Adding a hold in case other folks may want to comment before the merge. /lgtm |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
added
the
lgtm
This allows to run a seccomp profile for a custom command or binary. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
k8s-ci-robot
removed
the
lgtm
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ccojocar, JAORMX, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Awesome, yeah we can follow-up on the other topics since I'm also planning to push more docs and testing around the features. I just updated the PR to propagate the correct exit code via |
|
/unhold Thanks for all the reviews! |
k8s-ci-robot
removed
the
do-not-merge/hold
What type of PR is this?
/kind feature
What this PR does / why we need it:
This allows to run a seccomp profile for a custom command or binary.
Which issue(s) this PR fixes:
Refers to #1482
Does this PR have test?
Yes
Special notes for your reviewer:
None
Does this PR introduce a user-facing change?