Skip to content

Add Seccomp support#593

Open
dcantah wants to merge 1 commit into
apple:mainfrom
dcantah:seccomp
Open

Add Seccomp support#593
dcantah wants to merge 1 commit into
apple:mainfrom
dcantah:seccomp

Conversation

@dcantah

@dcantah dcantah commented Mar 23, 2026

Copy link
Copy Markdown
Contributor

Closes #551

This change is rather large, but I think this is one of those changes that is much simpler to see all laid out. It:

  • Adds a new ContainerizationSeccomp target/product that is a cBPF compiler specifically for seccomp. Its main use is to take in an OCI seccomp description and spit out a filter we can apply.
  • Adds a new friendly SeccompProfile API to Containerization to specify what filters you'd like applied. This will (as is the case for basically everything else) get translated to OCI behind the scenes.
  • Adds a small bit of logic in vmexec to apply the filters.

And unit and integration tests for everything. Unit testing is interesting. I've added a small simulator so we actually have some semblance of testing outside of just integration tests and seeing if the syscall is blocked/returns whatever.

Right now the codegen is somewhat simple. I'm sure it can be better, but it's a start.

@almet

almet commented May 2, 2026

Copy link
Copy Markdown

Hi, thanks for working on this! Let me know if there is anything I can do to help making this happen :-)

@dcantah

dcantah commented May 3, 2026

Copy link
Copy Markdown
Contributor Author

@almet I'll try and get some folks to take a gander in the coming weeks. It's a rather large surface

This change is rather large, but I think it's simpler to get in as
one unit. It:

- Adds a new ContainerizationSeccomp target/product that is a cBPF compiler
specifically for seccomp. Its main use is to take in an OCI seccomp description
and spit out a filter we can apply.
- Adds a new friendly SeccompProfile API to Containerization to specify what filters
you'd like applied. This will (as is the case for basically everything else) get
translated to OCI behind the scenes.
- Adds a small bit of logic in vmexec to apply the filters.

And unit and integration tests for everything. Unit testing is interesting. I've added a small
simulator so we actually have some semblance of testing outside of just integration tests
and seeing if the syscall is blocked/returns whatever.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants