github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/contrib/cmd/seccompagent/README.md

github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/contrib/cmd/seccompagent/README.md (about)

     1  # Seccomp Agent
     2  
     3  ## Warning
     4  
     5  Please note this is an example agent, as such it is possible that specially
     6  crafted messages can produce bad behaviour. Please use it as an example only.
     7  
     8  Also, this agent is used for integration tests. Be aware that changing the
     9  behaviour can break the integration tests.
    10  
    11  ## Get started
    12  
    13  Compile runc and seccompagent:
    14  ```bash
    15  make all
    16  ```
    17  
    18  Run the seccomp agent in the background:
    19  ```bash
    20  sudo ./contrib/cmd/seccompagent/seccompagent &
    21  ```
    22  
    23  Prepare a container:
    24  ```bash
    25  mkdir container-seccomp-notify
    26  cd container-seccomp-notify
    27  mkdir rootfs
    28  docker export $(docker create busybox) | tar -C rootfs -xvf -
    29  ```
    30  
    31  Then, generate a config.json by running the script gen-seccomp-example-cfg.sh
    32  from the directory where this README.md is in the container directory you
    33  prepared earlier (`container-seccomp-notify`).
    34  
    35  Then start the container:
    36  ```bash
    37  runc run mycontainerid
    38  ```
    39  
    40  The container will output something like this:
    41  ```bash
    42  + cd /dev/shm
    43  + mkdir test-dir
    44  + touch test-file
    45  + chmod 777 test-file
    46  chmod: changing permissions of 'test-file': No medium found
    47  + stat /dev/shm/test-dir-foo
    48    File: /dev/shm/test-dir-foo
    49    Size: 40        	Blocks: 0          IO Block: 4096   directory
    50  Device: 3eh/62d	Inode: 2           Links: 2
    51  Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
    52  Access: 2021-09-09 15:03:13.043716040 +0000
    53  Modify: 2021-09-09 15:03:13.043716040 +0000
    54  Change: 2021-09-09 15:03:13.043716040 +0000
    55   Birth: -
    56  + ls -l /dev/shm
    57  total 0
    58  drwxr-xr-x 2 root root 40 Sep  9 15:03 test-dir-foo
    59  -rw-r--r-- 1 root root  0 Sep  9 15:03 test-file
    60  + echo Note the agent added a suffix for the directory name and chmod fails
    61  Note the agent added a suffix for the directory name and chmod fails
    62  ```
    63  
    64  This shows a simple example that runs in /dev/shm just because it is a tmpfs in
    65  the example config.json.
    66  
    67  The agent makes all chmod calls fail with ENOMEDIUM, as the example output shows.
    68  
    69  For mkdir, the agent adds a "-foo" suffix: the container runs "mkdir test-dir"
    70  but the directory created is "test-dir-foo".