github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/contrib/cmd/seccompagent/gen-seccomp-example-cfg.sh

github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/contrib/cmd/seccompagent/gen-seccomp-example-cfg.sh (about)

     1  #!/usr/bin/env bash
     2  # Detect if we are running inside bats (i.e. inside integration tests) or just
     3  # called by an end-user
     4  # bats-core v1.2.1 defines BATS_RUN_TMPDIR
     5  if [ -z "$BATS_RUN_TMPDIR" ]; then
     6  	# When not running in bats, we create the config.json
     7  	set -e
     8  	runc spec
     9  fi
    10  
    11  # We can't source $(dirname $0)/../../../tests/integration/helpers.bash as that
    12  # exits when not running inside bats. We can do hacks, but just to redefine
    13  # update_config() seems clearer. We don't even really need to keep them in sync.
    14  function update_config() {
    15  	jq "$1" "./config.json" | awk 'BEGIN{RS="";getline<"-";print>ARGV[1]}' "./config.json"
    16  }
    17  
    18  update_config '.linux.seccomp = {
    19                          "defaultAction": "SCMP_ACT_ALLOW",
    20                          "listenerPath": "/run/seccomp-agent.socket",
    21                          "listenerMetadata": "foo",
    22                          "architectures": [ "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_X86_64" ],
    23                          "syscalls": [
    24                                  {
    25                                          "names": [ "chmod", "fchmod", "fchmodat", "mkdir" ],
    26                                          "action": "SCMP_ACT_NOTIFY"
    27                                  }
    28  			]
    29  		}'
    30  
    31  update_config '.process.args = [
    32  				"sh",
    33  				"-c",
    34  				"set -x; cd /dev/shm; mkdir test-dir; touch test-file; chmod 777 test-file; stat /dev/shm/test-dir-foo && ls -l /dev/shm && echo \"Note the agent added a suffix for the directory name and chmod fails\" "
    35  				]'