RFE: Support for addfd to secomp user notifier

[KentaTada]

The feature of addfd[1][2] allows the supervisor to install file descriptors into the intercepted task. By implementing this feature via seccomp the supervisor effectively instructs the supervisee to install a set of file descriptors into its own file descriptor table during the intercepted syscall. This feature is actullay used to accelerate the container network[3].

We want to need the support of addfd in libseccomp. At first, I create the issue although @ManaSugi and I don't have enough time to implement it currently.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/seccomp.c?id=7cf97b12545503992020796c74bd84078eb39299 [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/seccomp.c?id=0ae71c7720e3ae3aabd2e8a072d27f7bd173d25c [3] https://github.com/rootless-containers/bypass4netns

[brauner]

Yeah, it would be good to have this in libseccomp. We currently use this as well in an open-coded version in LXD https://github.com/lxc/lxd/blob/98935b925c0caffc9d4a083c191671d553739313/lxd/seccomp/seccomp.go#L395 it needs a nice API. And note usually this is paired with pidfd_getfd().

[pcmoore]

Thanks for the issue, this has been in the back of my mind but I haven't had the chance to work on it yet. Having this as an issue should help a bit. I've gone ahead and added it to the v2.6.0 milestone too.

A quick word of caution if anyone else is looking into implementing this in libseccomp: before you simply copy the lxd code in Christian's reply, please note the license differences between the two projects.

[brauner]

The seccomp selftests upstream also have the basic logic in there fwiw.