Add Seccomp support

This change is rather large, but I think it's simpler to get in as
one unit. It:

- Adds a new ContainerizationSeccomp target/product that is a cBPF compiler
specifically for seccomp. Its main use is to take in an OCI seccomp description
and spit out a filter we can apply.
- Adds a new friendly SeccompProfile API to Containerization to specify what filters
you'd like applied. This will (as is the case for basically everything else) get
translated to OCI behind the scenes.
- Adds a small bit of logic in vmexec to apply the filters.

And unit and integration tests for everything. Unit testing is interesting. I've added a small
simulator so we actually have some semblance of testing outside of just integration tests
and seeing if the syscall is blocked/returns whatever.

Author: dcantah

Package.swift

@@ -33,6 +33,7 @@ let package = Package(
         .library(name: "ContainerizationOS", targets: ["ContainerizationOS"]),
         .library(name: "ContainerizationExtras", targets: ["ContainerizationExtras"]),
         .library(name: "ContainerizationArchive", targets: ["ContainerizationArchive"]),
+        .library(name: "ContainerizationSeccomp", targets: ["ContainerizationSeccomp"]),
         .library(name: "VminitdCore", targets: ["VminitdCore", "Cgroup", "LCShim"]),
         .executable(name: "cctl", targets: ["cctl"]),
     ],
@@ -294,6 +295,19 @@ let package = Package(
             ],
             path: "vminitd/Sources/VminitdCore"
         ),
+        .target(
+            name: "ContainerizationSeccomp",
+            dependencies: [
+                "ContainerizationOCI"
+            ]
+        ),
+        .testTarget(
+            name: "ContainerizationSeccompTests",
+            dependencies: [
+                "ContainerizationSeccomp",
+                "ContainerizationOCI",
+            ]
+        ),
     ]
 )
 

Sources/Containerization/LinuxContainer.swift

@@ -67,6 +67,8 @@ public final class LinuxContainer: Container, Sendable {
         public var sockets: [UnixSocketConfiguration] = []
         /// The mounts for the container.
         public var mounts: [Mount] = LinuxContainer.defaultMounts()
+        /// Seccomp profile for system call filtering.
+        public var seccomp: SeccompProfile?
         /// The DNS configuration for the container.
         public var dns: DNS?
         /// The hosts to add to /etc/hosts for the container.
@@ -100,6 +102,7 @@ public final class LinuxContainer: Container, Sendable {
             interfaces: [any Interface] = [],
             sockets: [UnixSocketConfiguration] = [],
             mounts: [Mount] = LinuxContainer.defaultMounts(),
+            seccomp: SeccompProfile? = nil,
             dns: DNS? = nil,
             hosts: Hosts? = nil,
             virtualization: Bool = false,
@@ -117,6 +120,7 @@ public final class LinuxContainer: Container, Sendable {
             self.interfaces = interfaces
             self.sockets = sockets
             self.mounts = mounts
+            self.seccomp = seccomp
             self.dns = dns
             self.hosts = hosts
             self.virtualization = virtualization
@@ -394,6 +398,7 @@ public final class LinuxContainer: Container, Sendable {
 
         // Linux toggles.
         spec.linux?.sysctl = config.sysctl
+        spec.linux?.seccomp = config.seccomp?.toOCI(effectiveCapabilities: config.process.capabilities.effective)
 
         // If the rootfs was requested as read-only, set it in the OCI spec.
         // We let the OCI runtime remount as ro, instead of doing it originally.

Sources/Containerization/LinuxPod.swift

@@ -83,6 +83,8 @@ public final class LinuxPod: Sendable {
         public var sysctl: [String: String] = [:]
         /// The mounts for the container.
         public var mounts: [Mount] = LinuxContainer.defaultMounts()
+        /// Seccomp profile for system call filtering.
+        public var seccomp: SeccompProfile?
         /// The Unix domain socket relays to setup for the container.
         public var sockets: [UnixSocketConfiguration] = []
         /// The DNS configuration for the container.
@@ -281,6 +283,7 @@ public final class LinuxPod: Sendable {
 
         // Linux toggles
         spec.linux?.sysctl = config.sysctl
+        spec.linux?.seccomp = config.seccomp?.toOCI(effectiveCapabilities: config.process.capabilities.effective)
 
         // If the rootfs was requested as read-only, set it in the OCI spec.
         // We let the OCI runtime remount as ro, instead of doing it originally.