-
Notifications
You must be signed in to change notification settings - Fork 553
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: use pre-generated BPF filter #1247
Comments
👍 |
+1, but I have a few questions:
|
I agree this would be useful. (I think I think just allowing a binary blob (probably base64-encoded I guess) to pass to My main concerns would be:
|
I remember this was already discussed somewhere some years ago, but I couldn't find it (perhaps on a different project?), so I am opening it again here to continue a discussion.
The current way of setting Seccomp rules in the OCI config file is quite inflexible and modeled around the libseccomp APIs.
I propose adding another way to pass the seccomp profile using the final BPF program to load, allowing for more adaptable and dynamic security configurations that can be generated outside of the OCI runtime itself.
crun already supports it through a custom annotation
run.oci.seccomp_bpf_data
specifying the BPF data to load.The text was updated successfully, but these errors were encountered: