From 1530149e202ed2726e756c3b4c8f852fc1839db6 Mon Sep 17 00:00:00 2001 From: Douglas Schilling Landgraf Date: Wed, 29 Jan 2025 23:48:25 -0500 Subject: [PATCH] rename /usr/share/qm/seccomp.json To be explicit the current seccomp.json DO NOT support realtime (rt) sched we will add it into the name of the file. Signed-off-by: Douglas Schilling Landgraf --- create-seccomp-rules | 2 +- qm.container | 2 +- rpm/qm.spec | 2 +- tests/e2e/tools/FFI/deny_sched_setattr/README.md | 2 +- tests/e2e/tools/FFI/deny_set_scheduler/README.md | 2 +- tests/ffi/disk/test.sh | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/create-seccomp-rules b/create-seccomp-rules index 2fc27e5c..9e5f1ae1 100755 --- a/create-seccomp-rules +++ b/create-seccomp-rules @@ -17,7 +17,7 @@ SECCOMP_CONTAINERS_FILE="/usr/share/containers/seccomp.json" SYSCALLS_TO_DENY=("sched_setscheduler" "sched_setattr") -QM_PATH_SECCOMP="/usr/share/qm/seccomp.json" +QM_PATH_SECCOMP="/usr/share/qm/seccomp-no-rt.json" QM_DIR="${QM_PATH_SECCOMP%/*}" function remove_seccomp_entry_from_allow() { diff --git a/qm.container b/qm.container index 8438c5be..f107ce14 100644 --- a/qm.container +++ b/qm.container @@ -50,7 +50,7 @@ AddCapability=all # For details see: https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#unmask Unmask=ALL SecurityLabelNested=true -SeccompProfile=/usr/share/qm/seccomp.json +SeccompProfile=/usr/share/qm/seccomp-no-rt.json # PidsLimit # --------- diff --git a/rpm/qm.spec b/rpm/qm.spec index 549a19bb..71094558 100644 --- a/rpm/qm.spec +++ b/rpm/qm.spec @@ -10,7 +10,7 @@ %global selinuxtype targeted %global moduletype services %global modulenames qm -%global seccomp_json /usr/share/%{modulenames}/seccomp.json +%global seccomp_json /usr/share/%{modulenames}/seccomp-no-rt.json %global setup_tool %{_prefix}/share/%{modulenames}/setup %global _installscriptdir %{_prefix}/lib/%{modulenames} diff --git a/tests/e2e/tools/FFI/deny_sched_setattr/README.md b/tests/e2e/tools/FFI/deny_sched_setattr/README.md index 4b4bcd77..2b4a86ef 100644 --- a/tests/e2e/tools/FFI/deny_sched_setattr/README.md +++ b/tests/e2e/tools/FFI/deny_sched_setattr/README.md @@ -11,7 +11,7 @@ and must validated via FFI tests. ## How to deny is made? -During the QM service startup it passes arguments to Podman. One of these arguments is `seccomp=/usr/share/qm/seccomp.json` which contains rules that deny the `sched_setattr()`. +During the QM service startup it passes arguments to Podman. One of these arguments is `seccomp=/usr/share/qm/seccomp-no-rt.json` which contains rules that deny the `sched_setattr()`. ## How to test? diff --git a/tests/e2e/tools/FFI/deny_set_scheduler/README.md b/tests/e2e/tools/FFI/deny_set_scheduler/README.md index 30c5a6cf..2658a352 100644 --- a/tests/e2e/tools/FFI/deny_set_scheduler/README.md +++ b/tests/e2e/tools/FFI/deny_set_scheduler/README.md @@ -8,7 +8,7 @@ QM environment deny `set_scheduler()` syscall for safety and must be validated v ## How to deny is made? -During the QM service startup it passes arguments to Podman. One of these arguments is `seccomp=/usr/share/qm/seccomp.json` which contains rules that deny the `set_scheduler()`. +During the QM service startup it passes arguments to Podman. One of these arguments is `seccomp=/usr/share/qm/seccomp-no-rt.json` which contains rules that deny the `set_scheduler()`. ## How to test? diff --git a/tests/ffi/disk/test.sh b/tests/ffi/disk/test.sh index 18ed86f9..3948915d 100644 --- a/tests/ffi/disk/test.sh +++ b/tests/ffi/disk/test.sh @@ -33,7 +33,7 @@ OOMScoreAdjust=1000 [Container] PodmanArgs= -PodmanArgs=--pids-limit=-1 --security-opt seccomp=/usr/share/qm/seccomp.json --security-opt label=nested --security-opt unmask=all --memory 5G +PodmanArgs=--pids-limit=-1 --security-opt seccomp=/usr/share/qm/seccomp-no-rt.json --security-opt label=nested --security-opt unmask=all --memory 5G EOF