Skip to content

Add runtime handler seccomp profile #9424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 7, 2025
Merged

Add runtime handler seccomp profile #9424

merged 1 commit into from
Sep 7, 2025
+262 −30

Conversation

gavinkflam
Copy link
Contributor

@gavinkflam gavinkflam commented Aug 27, 2025
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

Allow configuration of a default seccomp profile per runtime.

Which issue(s) this PR fixes:

Fixes #5715

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Allow configuration of a default seccomp profile per runtime.

@gavinkflam gavinkflam requested a review from mrunalp as a code owner August 27, 2025 03:19
@openshift-ci openshift-ci bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/feature Categorizes issue or PR as related to a new feature. labels Aug 27, 2025
@openshift-ci openshift-ci bot requested review from bitoku and QiWang19 August 27, 2025 03:19
@openshift-ci openshift-ci bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Aug 27, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 27, 2025

Hi @gavinkflam. Thanks for your PR.

I'm waiting for a cri-o member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@gavinkflam gavinkflam force-pushed the 5715-runtime-default-seccomp-profile branch from 82aa88e to 5e9e8c0 Compare August 27, 2025 03:21
@gavinkflam
Copy link
Contributor Author

/cc saschagrunert haircommander

Please take a look if you get a chance.

@codecov Codecov
Copy link

codecov bot commented Aug 27, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 70.96774% with 18 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.53%. Comparing base (259e23f) to head (a0a44b5).
⚠️ Report is 43 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #9424      +/-   ##
==========================================
+ Coverage   65.96%   66.53%   +0.56%     
==========================================
  Files         202      202              
  Lines       27761    27994     +233     
==========================================
+ Hits        18312    18625     +313     
+ Misses       7904     7790     -114     
- Partials     1545     1579      +34
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@gavinkflam gavinkflam mentioned this pull request Aug 27, 2025
Closed
@saschagrunert
Copy link
Member

/ok-to-test

@openshift-ci openshift-ci bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 27, 2025
saschagrunert
saschagrunert reviewed Aug 27, 2025
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I just have a few suggestions, otherwise LGTM

@gavinkflam gavinkflam force-pushed the 5715-runtime-default-seccomp-profile branch 2 times, most recently from c9e819c to d0b95a8 Compare August 28, 2025 01:59
saschagrunert
saschagrunert reviewed Aug 28, 2025
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cri-o/cri-o-maintainers PTAL, LGTM

@gavinkflam gavinkflam force-pushed the 5715-runtime-default-seccomp-profile branch from d0b95a8 to 417b30e Compare August 29, 2025 03:20
@gavinkflam
Copy link
Contributor Author

@saschagrunert @bitoku Please take another look. I realized that I should only apply the profile when the profile type is RuntimeDefault.

I've corrected that and added two tests to verify the profile type behavior and fallback logic.

bitoku
bitoku reviewed Aug 29, 2025
View reviewed changes
Copy link
Contributor

@bitoku bitoku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! overall lgtm, just one comment about validation

@gavinkflam gavinkflam force-pushed the 5715-runtime-default-seccomp-profile branch 3 times, most recently from c683f7e to 8d11afc Compare August 31, 2025 14:07
@gavinkflam gavinkflam requested a review from bitoku August 31, 2025 23:08
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 1, 2025
bitoku
bitoku reviewed Sep 2, 2025
View reviewed changes
@gavinkflam gavinkflam force-pushed the 5715-runtime-default-seccomp-profile branch from 8d11afc to 929c5dd Compare September 3, 2025 01:35
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Sep 3, 2025
@gavinkflam gavinkflam requested a review from bitoku September 3, 2025 01:40
bitoku
bitoku reviewed Sep 3, 2025
View reviewed changes
Copy link
Contributor

@bitoku bitoku left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seccomp Setup() should be closed to the receiver and shouldn't accept other Config.
Instead, how about returning the right seccomp in Runtime.Seccomp()?
I think this will make the code simpler.

Also this is nit, but it seems we can create a new function to validate seccomp. They look almost same.

@gavinkflam gavinkflam force-pushed the 5715-runtime-default-seccomp-profile branch from 929c5dd to 1c7208a Compare September 4, 2025 03:15
@gavinkflam gavinkflam requested a review from bitoku September 4, 2025 03:26
@gavinkflam
Copy link
Contributor Author

@bitoku To use RuntimeHandler.seccompConfig directly, we’d need to set up its notifierPath correctly. That requires APIConfig.Listen, which would mean passing the root Config struct deep into validateRuntimeSeccompProfile() - not ideal.

Instead, I’ve updated the config and Setup() to work with the seccomp.Seccomp struct directly. This makes the implementation simpler and more natural.

Let me know what do you think.

bitoku
bitoku reviewed Sep 4, 2025
View reviewed changes
Copy link
Contributor

@bitoku bitoku left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To use RuntimeHandler.seccompConfig directly, we’d need to set up its notifierPath correctly. That requires APIConfig.Listen, which would mean passing the root Config struct deep into validateRuntimeSeccompProfile() - not ideal.

I don't think that using rootConfig is not ideal.
Cascading the value deep into validateRuntimeSeccompProfile() may look messy, but we can do just like this instead.

cri-o/pkg/config/config.go

Lines 1063 to 1065 in 51ce3dd

c.seccompConfig.SetNotifierPath(
filepath.Join(filepath.Dir(c.Listen), "seccomp"),
)

Ideally, now that runtimeHandler has seccomp profile, everything should rely on runtimeHandler seccomp profile.

But this is more style suggestion, and if there's a reason not to do that, it's not a blocker of this PR.
We could also follow up when we find a better way.

Thank you for working on it!

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 4, 2025
bitoku
bitoku reviewed Sep 4, 2025
View reviewed changes
Copy link
Contributor

@bitoku bitoku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm cancel
sorry there's one thing I missed.

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Sep 4, 2025
@gavinkflam gavinkflam force-pushed the 5715-runtime-default-seccomp-profile branch from 1c7208a to 71d5047 Compare September 5, 2025 03:58
@gavinkflam
Add runtime handler seccomp profile
a0a44b5 
Signed-off-by: Gavin Lam <gavin.oss@tutamail.com>
@gavinkflam gavinkflam force-pushed the 5715-runtime-default-seccomp-profile branch from 71d5047 to a0a44b5 Compare September 5, 2025 04:47
@gavinkflam gavinkflam requested a review from bitoku September 5, 2025 04:57
@gavinkflam
Copy link
Contributor Author

@bitoku Please take another look.

I've added pod support, and implemented your suggestion of having Runtime.Seccomp() returning the right seccomp.Config.

bitoku
bitoku reviewed Sep 5, 2025
View reviewed changes
Copy link
Contributor

@bitoku bitoku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 5, 2025
@bitoku
Copy link
Contributor

bitoku commented Sep 5, 2025

@saschagrunert Can you PTAL?

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 7, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gavinkflam, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 7, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit aea52d6 into cri-o:main Sep 7, 2025
76 checks passed
@gavinkflam gavinkflam deleted the 5715-runtime-default-seccomp-profile branch September 8, 2025 00:26
@gavinkflam gavinkflam mentioned this pull request Sep 9, 2025
Merged
@github-actions github-actions bot mentioned this pull request Sep 14, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bitoku bitoku bitoku left review comments

@saschagrunert saschagrunert saschagrunert approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@QiWang19 QiWang19 Awaiting requested review from QiWang19

@haircommander haircommander Awaiting requested review from haircommander

Assignees

@saschagrunert saschagrunert

@bitoku bitoku

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Configure seccomp RuntimeDefault profile based on RuntimeClass
3 participants
@gavinkflam @saschagrunert @bitoku