Implement go-seccomp API interface

twtiger / gosecco

Go seccomp parser and compiler

GNU Lesser General Public License v3.0

53 stars 7 forks source link

Implement go-seccomp API interface #21

Closed chelseakomlo closed 8 years ago

chelseakomlo commented 8 years ago

[x] CheckSupport
[x] Prepare
[x] Compile
[x] Load
[x] Install
[x] CompileBlacklist
[x] InstallBlackList

olabini commented 8 years ago

I've added skeletons for these, but not implementations. We might want to add CompileBlacklist and InstallBlacklist as well, for compatibility?

chelseakomlo commented 8 years ago

Yes, we should add.

chelseakomlo commented 8 years ago

For CheckSupport, should we do just as go-seccomp does? https://github.com/subgraph/go-seccomp/blob/master/seccomp.go#L452

chelseakomlo commented 8 years ago

Actually @olabini, another question.

Should we support Compile and CompileBlackList as before? Or should Compile be able to handle both?

chelseakomlo commented 8 years ago

We need to talk about a good testing strategy for this. (mocking syscalls, etc)

olabini commented 8 years ago

I think we should keep both Compile and CompileBlacklist and try to make the API backwards compatible that way. They should all just be thin shims around the Prepare call with appropriate configurations in the config struct.

olabini commented 8 years ago

As mentioned in person, I'm not super concerned with mocking the syscalls and this stuff, it's small enough.

olabini commented 8 years ago

"enforce" argument
- for blacklist:
- ALLOW: enforce means "kill", otherwise "trace"
- THEN-part: enforce means "kill", otherwise "trace"
  - the then part is executed on POSITIVE outcome. otherwise def is executed.
- for whitelist:
- changes how the RETURN statement works. if enforce is false, RETURN will do TRACE, otherwise ERRNO

olabini commented 8 years ago

Prepare is currently not calling the simplifier, but once that's done, we are done.