search

kinvolk / seccompagent

agent for handling seccomp descriptors for container runtimes
Apache License 2.0
41 stars 10 forks source link

Implement freeze handler #20

Closed alban closed 2 years ago

alban commented 2 years ago

Implement freeze handler

This is the "freeze" cgroup to freeze the container and allow manual inspection of the container while all processes are suspended.

How to use

Use a Seccomp Policy with "freeze-container":

  listenerPath: "/run/seccomp-agent.socket"
  listenerMetadata: "DEFAULT_ACTION=freeze-container"

Try a forbidden syscall:

$ kubectl exec -ti mypod -- /bin/sh
/ # unshare -u

The container is frozen.

Testing done

See above.

alban commented 2 years ago

Thanks for the review! I think I addressed all the comments.

rata commented 2 years ago

@alban thanks! Most are solved, one small thing and more questions about if we really need a regex (it seems we don't and I'd like to avoid it if possible). Ping me when you answer, in case I miss the notification :)

alban commented 2 years ago

@rata Branch updated, this time without regex!