configurable seccomp profile - mrrl-containers - MRRL version of container scripts

commit 066a430ec537775a1df9b30805dce551d78258c0
parent c33438f227efa4e8541c3152b684e3925c944f71
Author: Jan Pobrislo <ccx@te2000.cz>
Date:   Tue,  6 May 2025 11:57:07 +0000

configurable seccomp profile

Diffstat:
M service_scripts/generic/run  | 3 ++-
M zsh-functions/confz_containers_init  | 3 +++
M zsh-functions/confz_site_containers_init  | 18 ++++++++++--------

3 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/service_scripts/generic/run b/service_scripts/generic/run
@@ -17,6 +17,7 @@ multisubstitute {
 	importas -D ns -s -C -u CONTAINER_MNT_DIRS CONTAINER_MNT_DIRS
 	importas -i -u PREPARE_CHROOT PREPARE_CHROOT
 	importas -i -u PID1_EXEC PID1_EXEC
+	importas -D default CONTAINER_SECCOMP_PROFILE CONTAINER_SECCOMP_PROFILE
 }
 
 getpid NS_PID
@@ -67,7 +68,7 @@ ns_run_unshared data/root {
 
 # This runs with changed / so use absolute paths before dropping privs
 /mnt/ns/bin/applyuidgid-caps -U $CONTAINER_CAPS
-/mnt/ns/bin/seccomp-run /mnt/ns/bin/seccomp-default.bpf
+/mnt/ns/bin/seccomp-run /mnt/ns/bin/seccomp-${CONTAINER_SECCOMP_PROFILE}.bpf
 /mnt/ns/bin/busybox env HOME=${CONTAINER_USER_HOME} USER=${CONTAINER_USER}
 /mnt/ns/bin/foreground {
 	/mnt/ns/bin/busybox cat /proc/1/status
diff --git a/zsh-functions/confz_containers_init b/zsh-functions/confz_containers_init
@@ -402,6 +402,7 @@ confz_container_service_ephemeral_check() {
 	local -a fstab mnt_dirs
 	checkvars containers_dir svscan_dir image_name user
 	defvar linux_caps ''
+	defvar seccomp_profile 'default'
 	defvar fstab_extra ''
 	defvar mnt_dirs_extra ''
 	defvar container_name "$vars[image_name]"
@@ -584,6 +585,8 @@ confz_container_service_generic_check() {
 		content="$mnt_dirs"
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_CAPS \
 		content=$vars[linux_caps]
+	require fs_contentnl filename=$svc_dir/env/CONTAINER_SECCOMP_PROFILE \
+		content=$vars[seccomp_profile]
 }
 
 confz_container_service_alsa_check() {
diff --git a/zsh-functions/confz_site_containers_init b/zsh-functions/confz_site_containers_init
@@ -79,6 +79,7 @@ confz_site_containers_usersvc_simple_check() {
 	require container_service_$vars[container_type] \
 		:image_name :container_name :containers_dir :svscan_dir :user \
 		\?mnt_dirs_extra \?fstab_extra \?prepare_chroot \?linux_caps \
+		\?seccomp_profile \
 		pid1_el=${(F)pid1_el_lines}
 
 	#local chome=$userdir/$vars[container_name]/home/$vars[user]
@@ -112,6 +113,7 @@ confz_site_containers_user_single_check() {
 	require site_containers_usersvc_simple \
 		:containers_dir :svscan_dir :user :uid :gid \
 		:container_name :image_name :mount_ro \?mount_rw \?linux_caps \
+		\?seccomp_profile \
 		\?prepare_chroot
 }
 
@@ -267,20 +269,20 @@ confz_site_containers_user_check() {
 	UC  neonmodem          alpine-go
 	UC  iamb               alpine-rust
 	UC  simplex            alpine-haskell
-	UC  xpra               gentoo-xorg            container_type=ephemeral $in_netns
+	UC  xpra               gentoo-xorg            container_type=ephemeral $in_netns seccomp_profile=ptrace
 	UC  bzr                alpine-breezy          mount_rw=ccx-bzr "$ro ccx-baregit" $in_netns
 	UC  git                alpine-git             mount_rw=ccx-baregit $in_netns
 	UC  sndiod             alpine-sndio           $with_audio $in_netns
 	UC  mpd                void-mpd               "$ro init audio"
 	#UC  {,}alpine-recombee
 	UC  rcm-puppet         alpine-puppet          $in_netns
-	UC  rcm-postgresql-dev alpine-postgresql-dev  $in_netns
-	UC  spark              alpine-dev-spark       mount_rw="ccx-bzr"
-	UC  ssrn-master-dev    alpine-postgresql-dev  mount_rw="ccx-bzr" $in_netns
-	UC  pthbs-dev          alpine-pthbs-dev       mount_rw="ccx-bzr" "$ro pthbs mrrl" $in_netns $with_more_fds
-	UC  pthbs-build        mrrl-bindmount         "$ro versions mrrl" $in_netns $with_more_fds
-	UC  gentoo-prefix-dev  alpine-gentoo-dev      $with_opt "$ro versions"
-	UC  x11-dev            gentoo-xorg            mount_rw="ccx-bzr" $in_netns
+	UC  rcm-postgresql-dev alpine-postgresql-dev  $in_netns seccomp_profile=ptrace
+	UC  spark              alpine-dev-spark       mount_rw="ccx-bzr" seccomp_profile=ptrace
+	UC  ssrn-master-dev    alpine-postgresql-dev  mount_rw="ccx-bzr" $in_netns seccomp_profile=ptrace
+	UC  pthbs-dev          alpine-pthbs-dev       mount_rw="ccx-bzr" "$ro pthbs mrrl" $in_netns $with_more_fds seccomp_profile=ptrace
+	UC  pthbs-build        mrrl-bindmount         "$ro versions mrrl" $in_netns $with_more_fds seccomp_profile=build
+	UC  gentoo-prefix-dev  alpine-gentoo-dev      $with_opt "$ro versions" seccomp_profile=ptrace
+	UC  x11-dev            gentoo-xorg            mount_rw="ccx-bzr" $in_netns seccomp_profile=ptrace
 	# -- mail
 	UCa mail-net                   mount_rw="init mail-te2000.cz-ccx mail-disroot.org-ccx"
 	UC  {rcm,alpine}-mail-net      mount_rw="init mail-recombee.com-jan.pobrislo"

	mrrl-containers MRRL version of container scripts
	git clone https://ccx.te2000.cz/git/mrrl-containers
	Log \| Files \| Refs

M	service_scripts/generic/run	\|	3	++-
M	zsh-functions/confz_containers_init	\|	3	+++
M	zsh-functions/confz_site_containers_init	\|	18	++++++++++--------