Text file src/github.com/opencontainers/runc/contrib/cmd/seccompagent/README.md

Documentation: github.com/opencontainers/runc/contrib/cmd/seccompagent

     1# Seccomp Agent
     2
     3## Warning
     4
     5Please note this is an example agent, as such it is possible that specially
     6crafted messages can produce bad behaviour. Please use it as an example only.
     7
     8Also, this agent is used for integration tests. Be aware that changing the
     9behaviour can break the integration tests.
    10
    11## Get started
    12
    13Compile runc and seccompagent:
    14```bash
    15make all
    16```
    17
    18Run the seccomp agent in the background:
    19```bash
    20sudo ./contrib/cmd/seccompagent/seccompagent &
    21```
    22
    23Prepare a container:
    24```bash
    25mkdir container-seccomp-notify
    26cd container-seccomp-notify
    27mkdir rootfs
    28docker export $(docker create busybox) | tar -C rootfs -xvf -
    29```
    30
    31Then, generate a config.json by running the script gen-seccomp-example-cfg.sh
    32from the directory where this README.md is in the container directory you
    33prepared earlier (`container-seccomp-notify`).
    34
    35Then start the container:
    36```bash
    37runc run mycontainerid
    38```
    39
    40The container will output something like this:
    41```bash
    42+ cd /dev/shm
    43+ mkdir test-dir
    44+ touch test-file
    45+ chmod 777 test-file
    46chmod: changing permissions of 'test-file': No medium found
    47+ stat /dev/shm/test-dir-foo
    48  File: /dev/shm/test-dir-foo
    49  Size: 40        	Blocks: 0          IO Block: 4096   directory
    50Device: 3eh/62d	Inode: 2           Links: 2
    51Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
    52Access: 2021-09-09 15:03:13.043716040 +0000
    53Modify: 2021-09-09 15:03:13.043716040 +0000
    54Change: 2021-09-09 15:03:13.043716040 +0000
    55 Birth: -
    56+ ls -l /dev/shm
    57total 0
    58drwxr-xr-x 2 root root 40 Sep  9 15:03 test-dir-foo
    59-rw-r--r-- 1 root root  0 Sep  9 15:03 test-file
    60+ echo Note the agent added a suffix for the directory name and chmod fails
    61Note the agent added a suffix for the directory name and chmod fails
    62```
    63
    64This shows a simple example that runs in /dev/shm just because it is a tmpfs in
    65the example config.json.
    66
    67The agent makes all chmod calls fail with ENOMEDIUM, as the example output shows.
    68
    69For mkdir, the agent adds a "-foo" suffix: the container runs "mkdir test-dir"
    70but the directory created is "test-dir-foo".

View as plain text