commit e8dfe8dcb4396ac0f12f0d0017f9836fa113e3a6
parent 21d8446e2d48a69b9da8e5b5efd8d29ff67f0426
Author: ccx <ccx@te2000.cz>
Date: Tue, 6 May 2025 14:08:09 +0000
Add seccomp_profile to ephemeral container start
Diffstat:
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/service_scripts/generic/run b/service_scripts/generic/run
@@ -60,7 +60,7 @@ if {
foreground { printf "Seccomp profile to be used:" }
foreground {
- ls -lhA /mnt/ns/bin/seccomp-${CONTAINER_SECCOMP_PROFILE}.bpf
+ ls -lhA ./mnt/ns/bin/seccomp-${CONTAINER_SECCOMP_PROFILE}.bpf
}
emptyenv -c
diff --git a/zsh-functions/confz_containers_init b/zsh-functions/confz_containers_init
@@ -401,6 +401,7 @@ confz_container_service_ephemeral_check() {
local uid gid container_user_dir svc_dir log_dir container
local -a fstab mnt_dirs
checkvars containers_dir svscan_dir image_name user
+ defvar seccomp_profile 'default'
defvar linux_caps ''
defvar fstab_extra ''
defvar mnt_dirs_extra ''
@@ -486,6 +487,8 @@ confz_container_service_ephemeral_check() {
content="$mnt_dirs"
require fs_contentnl filename=$svc_dir/env/CONTAINER_CAPS \
content=$vars[linux_caps]
+ require fs_contentnl filename=$svc_dir/env/CONTAINER_SECCOMP_PROFILE \
+ content=$vars[seccomp_profile]
}
confz_container_service_generic_check() {
diff --git a/zsh-functions/confz_site_containers_init b/zsh-functions/confz_site_containers_init
@@ -269,7 +269,7 @@ confz_site_containers_user_check() {
UC neonmodem alpine-go
UC iamb alpine-rust
UC simplex alpine-haskell
- UC xpra gentoo-xorg container_type=ephemeral $in_netns seccomp_profile=ptrace
+ UC xpra gentoo-xorg container_type=ephemeral $in_netns seccomp_profile=xpra
UC bzr alpine-breezy mount_rw=ccx-bzr "$ro ccx-baregit" $in_netns
UC git alpine-git mount_rw=ccx-baregit $in_netns
UC sndiod alpine-sndio $with_audio $in_netns
