Skip to content

Extend experiment seccomp program#3464

Open
sat0ken wants to merge 41 commits intoyouki-dev:mainfrom
sat0ken:extend-experiment-seccomp
Open

Extend experiment seccomp program#3464
sat0ken wants to merge 41 commits intoyouki-dev:mainfrom
sat0ken:extend-experiment-seccomp

Conversation

@sat0ken
Copy link
Contributor

@sat0ken sat0ken commented Mar 17, 2026

Description

working #2724

// sorry for this PR is difficult to review.
// sorry for my mistake PR Closed #3463. Re open it

・add json file for more test case and create example dir
・some function copy to libcontainer/seccomp
・add check argument of system call
・bpf jmp instruction cannot jump more than 255. If the number of system calls exceeds 255, it will be split.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)
  • Performance improvement
  • Test updates
  • CI/CD related changes
  • Other (please describe):

Testing

  • Added new unit tests
  • Added new integration tests
  • Ran existing test suite
  • Tested manually (please provide steps)
  1. download test program from my repo.
  2. go build & go run
  3. run cargo run --example readjson
  4. compare print bpf code stdout step 2 and 3.

Related Issues

Fixes #

Additional Context

sat0ken and others added 30 commits March 17, 2026 23:51
@sat0ken
update seccomp program of update method and add function
bafe684 
- add default error return code to InstructionData
- add action to Rule
- add action to fn new of Rule and fix test code
- add seccomp compare op code to const
- ported function from libcontainer of seccomp
- update Cargo.toml and lock
- add const of seccomp flags
- add flags to InstructionData
- add derive
- improve implementation to generate filter from LinuxSeccomp
- update main.rs to use oci_spec
- fix format

Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
implementation From trait
411d5bc 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
implement seccomp flags if config.json define
189f9a2 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
add BPF Instruction to validate
b6935ed 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
add fn to get nr offset from seccomp_data
c7f3bb0 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
modify generate BPF program order
e2ab133 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
implement check args of seccomp program and add test code
31b4379 
- modify systemcall of args check logic
- add for test code and add serde to use json
- update gen_validate
- update seccomp_data_args_offset to get args index
- add file for test
- update check argument code
- update check argument code
- fix test code
- remove unusual args from fn to_instruction_with_args
- add test code
- add test case with args
- add test for arm64

Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
move test json file to tests
89f21fc 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change to return Result
d2af7a3 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change fn seccomp_data_args_offset to return Result
74b9b45 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
to change return Result, add unwrap
e90a95d 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
run cargo fmt
2a603e6 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
fix offset size
b6e6575 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
add design pattern to rule
8553674 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change method to return Result
7bc22e0 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change method name
e08d3f6 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
improve multipul variable set to use is_none method
a78e141 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
fix test code
c55e436 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
insert BPF_JMP to new to omit code
95e39db 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
omit BPM_JMP from code
122f266 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
add check argument count
3c02e29 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
fix if value is 0, set the value
f305bed 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
fix for cargo clippy
b32b1f0 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change argument string to Path
3a1f25c 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change to return Result and remove unwrap
016e768 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change struct name InstructionData to SeccompProgramPlan
2ade7c2 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
implement TryFrom to SeccompProgramPlan
415bae2 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
update oci-spec-rs
eaa47ca 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
errno correctly set to the value of action
87cfb8e 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
refactoring testutils.rs to use oci-spec-rs to parse json
22e6347 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
sat0ken added 11 commits March 17, 2026 23:59
@sat0ken
refactor fn try_from to separate logic
22d4a2f 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
fix test code and refactor
690a922 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
change type of syscall Vec<String> to Vec<u64> to sort
29ea7a6 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
add const to jump_num
15d0a31 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
cargo fmt
ada6110 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
minor update for test
03ac32b 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
create example dir and move main.rs
02ae9b3 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
fix typo
400e59c 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
update package and toolchain
e81c9d0 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
cargo fmt
9a0dcbf 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@sat0ken
remove unused package
c1dc2bc 
Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com>
@saku3 saku3 added the kind/experimental `/experimental` label Mar 18, 2026
@sat0ken sat0ken mentioned this pull request Mar 19, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

kind/experimental `/experimental`

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sat0ken @saku3