-
Notifications
You must be signed in to change notification settings - Fork 541
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
config-linux.md: formalize the order of seccomp.syscalls
#1159
Conversation
config-linux.md
Outdated
@@ -718,6 +718,7 @@ The following parameters can be specified to set up seccomp: | |||
This field MUST NOT be set if `listenerPath` is not set. | |||
|
|||
* **`syscalls`** *(array of objects, OPTIONAL)* - match a syscall in seccomp. | |||
When the syscall matches multiple entries, only the first entry is effective. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When the syscall matches multiple entries
Is any explanation needed on "matches"? As the same syscall
with different args
effectively is a different rule? (Suggestions welcome)
I'm somewhat inclined to move this its own paragraph below the definition of the properties. It feels a bit "off" to describe this before describing the property to be optional, and describing what's in it.
I guess some of this may become more relevant with #1102; perhaps that option may require stricter constraints though on duplicates (?). TBH, I think it's a bit unfortunate that this is how runtimes behave currently; Wondering if there's cases where duplicates were added unintentionally, and an error would've been more appropriate.
Should we (can we?) add a recommendation for runtimes to log such cases?
Syscalls in this list are not guaranteed to be unique, and MAY appear multiple
times. If a syscall appears multiple times, runtimes MUST use the first match,
MUST ignore further occurrences. Runtimes MAY log a warning if duplicate entries
are present.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, updated, and added Co-authored-by:
line with your name in the commit log
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
and added Co-authored-by: line with your name in the commit log
Oh, wasn't strictly needed for me, but thanks
I think the only part I could use input on is "first match"; I wonder if that needs further clarification (matching only on sys call, or matching syscall + args, which would make it "best match").
I should've probably dug into this myself, but perhaps others may have good wording for that to fill me in ❤️
1770f63
to
f8429b7
Compare
Corresponds to the behavior of existing implementations such as runc Co-authored-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
f8429b7
to
7fe7f3a
Compare
When the syscall matches multiple entries, only the first entry is effective.
Corresponds to the behavior of existing implementations such as runc.