runtimetest: add validateSeccomp

Signed-off-by: Zhou Hao <[email protected]>

Author: Zhou Hao

cmd/runtimetest/main.go

@@ -576,6 +576,25 @@ func validateMaskedPaths(spec *rspec.Spec) error {
 	return nil
 }
 
+func validateSeccomp(spec *rspec.Spec) error {
+	if spec.Linux == nil || spec.Linux.Seccomp == nil {
+		return nil
+	}
+	for _, sys := range spec.Linux.Seccomp.Syscalls {
+		if sys.Action == "SCMP_ACT_ERRON" {
+			for _, name := range sys.Names {
+				if name == "getcwd" {
+					_, err := os.Getwd()
+					if err == nil {
+						logrus.Warnf("Syscall action %v can not be properly applied in the runtime", sys.Action)
+					}
+				}
+			}
+		}
+	}
+	return nil
+}
+
 func validateROPaths(spec *rspec.Spec) error {
 	if spec.Linux == nil {
 		return nil
@@ -864,6 +883,10 @@ func run(context *cli.Context) error {
 			test:        validateOOMScoreAdj,
 			description: "oom score adj",
 		},
+		{
+			test:        validateSeccomp,
+			description: "seccomp",
+		},
 		{
 			test:        validateROPaths,
 			description: "read only paths",

validation/linux_seccomp.go

@@ -0,0 +1,20 @@
+package main
+
+import (
+	"github.com/opencontainers/runtime-tools/generate/seccomp"
+	"github.com/opencontainers/runtime-tools/validation/util"
+)
+
+func main() {
+	g := util.GetDefaultGenerator()
+	syscallArgs := seccomp.SyscallOpts{
+		Action:  "errno",
+		Syscall: "getcwd",
+	}
+	g.SetDefaultSeccompAction("allow")
+	g.SetSyscallAction(syscallArgs)
+	err := util.RuntimeInsideValidate(g, nil)
+	if err != nil {
+		util.Fatal(err)
+	}
+}