Skip to content

Commit 7de1160

Browse files
mikebrowmikebrow
authored
Merge pull request #123 from tych0/seccomp-adjustment
api: add seccomp adjustment
2 parents 60a9851 + 8f2af44 commit 7de1160

File tree

13 files changed

+3554
-829
lines changed

13 files changed

+3554
-829
lines changed

README.md

Lines changed: 15 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -206,6 +206,7 @@ The following pieces of container metadata are available to plugins in NRI:
206206
- cpuset memory
207207
- Block I/O class
208208
- RDT class
209+
- Linux seccomp profile and policy
209210
- container (init) process ID
210211
- container (init process) exit status
211212
- timestamp of container creation
@@ -252,6 +253,7 @@ container parameters:
252253
- cpuset memory
253254
- Block I/O class
254255
- RDT class
256+
- Linux seccomp policy
255257

256258
### Container Updates
257259

@@ -341,11 +343,17 @@ selectively configured to
341343
1. Reject OCI Hook injection: Reject any adjustment which tries to inject
342344
OCI Hooks into a container.
343345

344-
2. Verify global mandatory plugins: Verify that all configured mandatory
346+
2. Reject Linux seccomp policy adjustment: Reject any adjustment which tries
347+
to set/override Linux seccomp policy of a container. There are separate controls
348+
for rejecting adjustment of the seccomp policy profile based on the type of policy
349+
profile set for the container. These types include the runtime default seccomp
350+
policy profile, a custom policy profile, and unconfined security profiles.
351+
352+
3. Verify global mandatory plugins: Verify that all configured mandatory
345353
plugins are present and have processed a container. Otherwise reject the
346354
creation of the container.
347355

348-
3. Verify annotated mandatory plugins: Verify that an annotated set of
356+
4. Verify annotated mandatory plugins: Verify that an annotated set of
349357
container-specific mandatory plugins are present and have processed a
350358
container. Otherwise reject the creation of the container.
351359

@@ -354,11 +362,11 @@ allows one to deploy mandatory plugins as containers themselves.
354362

355363
#### Default Validation Scope
356364

357-
Currently only OCI hook injection can be restricted using the default
358-
validator. However, this probably will change in the future. Especially
359-
when NRI is extended with control over new container parameters. If such
360-
parameters will have security implications, corresponding configurable
361-
restrictions will be introduced to the default validator.
365+
Currently only OCI hook injection and Linux seccomp policy can be restricted
366+
using the default validator. However, this probably will change in the future.
367+
Especially when NRI is extended with control over more container parameters.
368+
If newly added controls will have security implications, expect corresponding
369+
configurable restrictions in the default validator.
362370

363371
## Runtime Adaptation
364372

0 commit comments

Comments
 (0)