mirror of
https://github.com/opencontainers/runc.git
synced 2026-04-22 23:17:17 +08:00
Kir Kolyshkin
0079bee17f
This adds support for WaitKillableRecv seccomp flag (also known as SCMP_FLTATR_CTL_WAITKILL in libseccomp and as SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV in the kernel). This requires: - libseccomp >= 2.6.0 - libseccomp-golang >= 0.11.0 - linux kernel >= 5.19 Note that this flag does not make sense without NEW_LISTENER, and the kernel returns EINVAL when SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV is set but SECCOMP_FILTER_FLAG_NEW_LISTENER is not set. For runc this means that .linux.seccomp.listenerPath should also be set, and some of the seccomp rules should have SCMP_ACT_NOTIFY action. This is why the flag is tested separately in seccomp-notify.bats. At the moment the only adequate CI environment for this functionality is Fedora 43. On all other platforms (including CentOS 10 and Ubuntu 24.04) it is skipped similar to this: > ok 251 runc run [seccomp] (SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV) # skip requires libseccomp >= 2.6.0 and API level >= 7 (current version: 2.5.6, API level: 6) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
815 B
815 B
Spec conformance
This branch of runc implements the OCI Runtime Spec v1.3.0
for the linux platform.
Architectures
The following architectures are supported:
| runc binary | seccomp |
|---|---|
amd64 |
SCMP_ARCH_X86, SCMP_ARCH_X86_64, SCMP_ARCH_X32 |
arm64 |
SCMP_ARCH_ARM, SCMP_ARCH_AARCH64 |
armel |
SCMP_ARCH_ARM |
armhf |
SCMP_ARCH_ARM |
ppc64le |
SCMP_ARCH_PPC64LE |
riscv64 |
SCMP_ARCH_RISCV64 |
s390x |
SCMP_ARCH_S390, SCMP_ARCH_S390X |
loong64 |
SCMP_ARCH_LOONGARCH64 |
The runc binary might be compilable for i386, big-endian PPC64, and several MIPS variants too, but these architectures are not officially supported.