Closed sandrobonazzola closed 3 weeks ago
@dougsland any clue of where the action_type should be taken from? command line parameter?
Howdy @sandrobonazzola,
First, good catch. Second, yes, I remember this. The idea was be dynamic was possible for RA team requests but as we simplified things in a simple way, the extra parameter can even be removed as i explain below.
_Even though action_type is defined as an argument to jq, it is not used in the jq script itself. The script will look for syscalls with the action set to SCMP_ACT_ALLOW and modify them accordingly. Thus, the current script will work as intended without the need for actiontype to be defined or set.
With that said, it's safe to remove it as the tool is working as expected and scale as needed. Should be simple as below but as always we must verify with tests:
$ git diff
diff --git a/create-seccomp-rules b/create-seccomp-rules
index d90f0a0..2fc27e5 100755
--- a/create-seccomp-rules
+++ b/create-seccomp-rules
@@ -27,7 +27,6 @@ function remove_seccomp_entry_from_allow() {
temp_file=$(mktemp)
jq --tab \
--arg syscall "$syscall_name" \
- --arg action "$action_type" \
'(.syscalls[] | select(.names[] == $syscall and .action == "SCMP_ACT_ALLOW").names) |= map(select(. != $syscall))' \
"${seccomp_file_path}" > "$temp_file" && mv "$temp_file" "${seccomp_file_path}"
@@ -41,7 +40,6 @@ function add_syscall_deny_list() {
temp_file=$(mktemp)
jq --tab \
--arg syscall "$syscall_name" \
- --arg action "$action_type" \
'.syscalls += [{"names": [$syscall], "action": "SCMP_ACT_ERRNO", "args": [], "errnoRet": 1, "errno": "EPERM"}]' \
"${seccomp_file_path}" > "$temp_file" && mv "$temp_file" "${seccomp_file_path}"
Could you please send a patch to us?
Thanks!
Looking at the source code of
create-seccomp-rules
there are calls tojq
passing--arg action "$action_type"
butaction_type
is not defined.