config-linux.md: formalize the order of seccomp.syscalls
#1159
Conversation
AkihiroSuda
requested review from
crosbymichael,
cyphar,
dqminh,
giuseppe,
hqhq,
mrunalp,
tianon and
vbatts
as code owners
config-linux.md
Outdated
| @@ -718,6 +718,7 @@ The following parameters can be specified to set up seccomp: | |||
| This field MUST NOT be set if `listenerPath` is not set. | |||
|
|
|||
| * **`syscalls`** *(array of objects, OPTIONAL)* - match a syscall in seccomp. | |||
| When the syscall matches multiple entries, only the first entry is effective. | |||
There was a problem hiding this comment.
When the syscall matches multiple entries
Is any explanation needed on "matches"? As the same syscall with different args effectively is a different rule? (Suggestions welcome)
I'm somewhat inclined to move this its own paragraph below the definition of the properties. It feels a bit "off" to describe this before describing the property to be optional, and describing what's in it.
I guess some of this may become more relevant with #1102; perhaps that option may require stricter constraints though on duplicates (?). TBH, I think it's a bit unfortunate that this is how runtimes behave currently; Wondering if there's cases where duplicates were added unintentionally, and an error would've been more appropriate.
Should we (can we?) add a recommendation for runtimes to log such cases?
Syscalls in this list are not guaranteed to be unique, and MAY appear multiple
times. If a syscall appears multiple times, runtimes MUST use the first match,
MUST ignore further occurrences. Runtimes MAY log a warning if duplicate entries
are present.There was a problem hiding this comment.
Thanks, updated, and added Co-authored-by: line with your name in the commit log
There was a problem hiding this comment.
Thanks!
and added Co-authored-by: line with your name in the commit log
Oh, wasn't strictly needed for me, but thanks
I think the only part I could use input on is "first match"; I wonder if that needs further clarification (matching only on sys call, or matching syscall + args, which would make it "best match").
I should've probably dug into this myself, but perhaps others may have good wording for that to fill me in ❤️
AkihiroSuda
force-pushed
the
seccomp-order
branch
from
1770f63
to
f8429b7
Compare
Corresponds to the behavior of existing implementations such as runc Co-authored-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
AkihiroSuda
force-pushed
the
seccomp-order
branch
from
f8429b7
to
7fe7f3a
Compare
When the syscall matches multiple entries, only the first entry is effective.
Corresponds to the behavior of existing implementations such as runc.