Skip to content

runtime-rs: add seccomp support for cloud hypervisor and firecracker #11536

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 14, 2025
Merged

runtime-rs: add seccomp support for cloud hypervisor and firecracker #11536

merged 1 commit into from
Aug 14, 2025
+9 −0

Conversation

was-saw
Copy link
Contributor

@was-saw was-saw commented Jul 8, 2025

The seccomp feature for Cloud Hypervisor and Firecracker is enabled by default. This commit introduces an option to disable seccomp for both and updates the built-in configuration.toml file accordingly.

Fixes: #11535

justxuewei
justxuewei reviewed Jul 9, 2025
View reviewed changes
src/runtime-rs/config/configuration-cloud-hypervisor.toml.in
Comment on lines +197 to +200
# Disable the 'seccomp' feature from Cloud Hypervisor or firecracker, default false
# disable_seccomp = true

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw you added a test condition for seccomp in fc, but why is it absent in clh?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has been implemented in Cloud Hypervisor.

kata-containers/src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs

Line 325 in 294b2c1

let disable_seccomp = cfg.security_info.disable_seccomp;

kata-containers/src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs

Lines 358 to 360 in 294b2c1

if disable_seccomp {
cmd.args(["--seccomp", "false"]);
}

@Apokleos Apokleos mentioned this pull request Jul 10, 2025
Open
@was-saw @lifupan
runtime-rs: add seccomp support for cloud hypervisor and firecracker
f3a669e 
The seccomp feature for Cloud Hypervisor and Firecracker is enabled by default.
This commit introduces an option to disable seccomp for both and updates the built-in configuration.toml file accordingly.

Fixes: kata-containers#11535

Signed-off-by: wangxinge <wangxinge@bupt.edu.cn>
justxuewei
justxuewei approved these changes Aug 14, 2025
View reviewed changes
Copy link
Member

@justxuewei justxuewei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm, thanks!

@justxuewei justxuewei merged commit 479cce8 into kata-containers:main Aug 14, 2025
507 of 539 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justxuewei justxuewei justxuewei approved these changes

@lifupan lifupan lifupan approved these changes

Assignees
No one assigned
Labels
ok-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

runtime-rs: add seccomp support for cloud hypervisor and firecracker
3 participants
@was-saw @justxuewei @lifupan