-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add spoc run
command
#1534
Add spoc run
command
#1534
Conversation
ce8a69e
to
0aedb2d
Compare
@kubernetes-sigs/security-profiles-operator-maintainers PTAL |
/lgtm cancel Let's wait for another maintainer to review. |
SetupSeccomp(*specs.LinuxSeccomp) (*configs.Seccomp, error) | ||
InitSeccomp(*configs.Seccomp) (int, error) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be great if we could have a more generic API, in which we could send different types of security profile enforcer (seccomp, apparmor, selinux, etc..). But as this is internal, we can do that at a later stage.
log.Print("Setting up seccomp") | ||
libConfig, err := r.SetupSeccomp(runtimeSpecConfig) | ||
if err != nil { | ||
return fmt.Errorf("convert profile: %w", err) | ||
} | ||
|
||
log.Print("Load seccomp profile") | ||
if _, err := r.InitSeccomp(libConfig); err != nil { | ||
return fmt.Errorf("init profile: %w", err) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More for a follow-up: I am not sure the difference between Init
and Setup
. For other enforcers, maybe things like Init
and Load
, or Init
and Enforce
.
Assuming that the former initialises the enforcer and the latter actually applies it to the target application/process.
Great idea and implementation! Who needs ChatGPT when @saschagrunert is around! 🦾 🚀 Adding a hold in case other folks may want to comment before the merge. /lgtm |
This allows to run a seccomp profile for a custom command or binary. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work!
I am wondering if is not more appropriate to name this command "validate" instead of "run" since this seems more inline with the purpose of the command.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ccojocar, JAORMX, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Awesome, yeah we can follow-up on the other topics since I'm also planning to push more docs and testing around the features. I just updated the PR to propagate the correct exit code via |
/unhold Thanks for all the reviews! |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This allows to run a seccomp profile for a custom command or binary.
Which issue(s) this PR fixes:
Refers to #1482
Does this PR have test?
Yes
Special notes for your reviewer:
None
Does this PR introduce a user-facing change?