chroot: don't use the generate default seccomp filter for unit tests

When we link our test helper statically using the external linker, the hardwired default seccomp filter we get from the runtime-tools generator triggers a hang in it at startup. Rather than switch to the internal linker, which seems to work around this, start using the same seccomp filter for unit tests that we actually use in real life, leaving analysis of which difference between the two is responsible for it for another day. Signed-off-by: Nalin Dahyabhai <[email protected]>
containers · Nov 5, 2021 · 4583c71 · 4583c71
1 parent 7017fc8
commit 4583c71
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 0 deletions.
diff --git a/chroot/run_test.go b/chroot/run_test.go
@@ -38,6 +38,9 @@ func testMinimal(t *testing.T, modify func(g *generate.Generator, rootDir, bundl
 	if err != nil {
 		t.Fatalf("generate.New(%q): %v", "linux", err)
 	}
+	if err = setupSeccomp(g.Config, ""); err != nil {
+		t.Fatalf("setupSeccomp(%q): %v", "", err)
+	}
 
 	tempDir, err := ioutil.TempDir("", "chroot-test")
 	if err != nil {

diff --git a/chroot/seccomp.go b/chroot/seccomp.go
@@ -3,6 +3,9 @@
 package chroot
 
 import (
+	"io/ioutil"
+
+	"github.com/containers/common/pkg/seccomp"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	libseccomp "github.com/seccomp/libseccomp-golang"
@@ -171,3 +174,27 @@ func setSeccomp(spec *specs.Spec) error {
 	}
 	return nil
 }
+
+func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {
+	switch seccompProfilePath {
+	case "unconfined":
+		spec.Linux.Seccomp = nil
+	case "":
+		seccompConfig, err := seccomp.GetDefaultProfile(spec)
+		if err != nil {
+			return errors.Wrapf(err, "loading default seccomp profile failed")
+		}
+		spec.Linux.Seccomp = seccompConfig
+	default:
+		seccompProfile, err := ioutil.ReadFile(seccompProfilePath)
+		if err != nil {
+			return errors.Wrapf(err, "opening seccomp profile (%s) failed", seccompProfilePath)
+		}
+		seccompConfig, err := seccomp.LoadProfile(string(seccompProfile), spec)
+		if err != nil {
+			return errors.Wrapf(err, "loading seccomp profile (%s) failed", seccompProfilePath)
+		}
+		spec.Linux.Seccomp = seccompConfig
+	}
+	return nil
+}
diff --git a/chroot/seccomp_unsupported.go b/chroot/seccomp_unsupported.go
@@ -13,3 +13,11 @@ func setSeccomp(spec *specs.Spec) error {
 	}
 	return nil
 }
+
+func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {
+	if spec.Linux != nil {
+		// runtime-tools may have supplied us with a default filter
+		spec.Linux.Seccomp = nil
+	}
+	return nil
+}