Add Seccomp support

This change is rather large, but I think it's simpler to get in as
one unit. It:

- Adds a new ContainerizationSeccomp target/product that is a cBPF compiler
specifically for seccomp. Its main use is to take in an OCI seccomp description
and spit out a filter we can apply.
- Adds a new friendly SeccompProfile API to Containerization to specify what filters
you'd like applied. This will (as is the case for basically everything else) get
translated to OCI behind the scenes.
- Adds a small bit of logic in vmexec to apply the filters.

And unit and integration tests for everything. Unit testing is interesting. I've added a small
simulator so we actually have some semblance of testing outside of just integration tests
and seeing if the syscall is blocked/returns whatever.

Author: dcantah

Package.swift

@@ -33,6 +33,7 @@ let package = Package(
         .library(name: "ContainerizationOS", targets: ["ContainerizationOS"]),
         .library(name: "ContainerizationExtras", targets: ["ContainerizationExtras"]),
         .library(name: "ContainerizationArchive", targets: ["ContainerizationArchive"]),
+        .library(name: "ContainerizationSeccomp", targets: ["ContainerizationSeccomp"]),
         .executable(name: "cctl", targets: ["cctl"]),
     ],
     dependencies: [
@@ -264,5 +265,18 @@ let package = Package(
         .target(
             name: "CShim"
         ),
+        .target(
+            name: "ContainerizationSeccomp",
+            dependencies: [
+                "ContainerizationOCI"
+            ]
+        ),
+        .testTarget(
+            name: "ContainerizationSeccompTests",
+            dependencies: [
+                "ContainerizationSeccomp",
+                "ContainerizationOCI",
+            ]
+        ),
     ]
 )

Sources/Containerization/LinuxContainer.swift

@@ -64,6 +64,8 @@ public final class LinuxContainer: Container, Sendable {
         public var sockets: [UnixSocketConfiguration] = []
         /// The mounts for the container.
         public var mounts: [Mount] = LinuxContainer.defaultMounts()
+        /// Seccomp profile for system call filtering.
+        public var seccomp: SeccompProfile?
         /// The DNS configuration for the container.
         public var dns: DNS?
         /// The hosts to add to /etc/hosts for the container.
@@ -90,6 +92,7 @@ public final class LinuxContainer: Container, Sendable {
             interfaces: [any Interface] = [],
             sockets: [UnixSocketConfiguration] = [],
             mounts: [Mount] = LinuxContainer.defaultMounts(),
+            seccomp: SeccompProfile? = nil,
             dns: DNS? = nil,
             hosts: Hosts? = nil,
             virtualization: Bool = false,
@@ -105,6 +108,7 @@ public final class LinuxContainer: Container, Sendable {
             self.interfaces = interfaces
             self.sockets = sockets
             self.mounts = mounts
+            self.seccomp = seccomp
             self.dns = dns
             self.hosts = hosts
             self.virtualization = virtualization
@@ -356,6 +360,7 @@ public final class LinuxContainer: Container, Sendable {
 
         // Linux toggles.
         spec.linux?.sysctl = config.sysctl
+        spec.linux?.seccomp = config.seccomp?.toOCI(effectiveCapabilities: config.process.capabilities.effective)
 
         // If the rootfs was requested as read-only, set it in the OCI spec.
         // We let the OCI runtime remount as ro, instead of doing it originally.

Sources/Containerization/LinuxPod.swift

@@ -78,6 +78,8 @@ public final class LinuxPod: Sendable {
         public var sysctl: [String: String] = [:]
         /// The mounts for the container.
         public var mounts: [Mount] = LinuxContainer.defaultMounts()
+        /// Seccomp profile for system call filtering.
+        public var seccomp: SeccompProfile?
         /// The Unix domain socket relays to setup for the container.
         public var sockets: [UnixSocketConfiguration] = []
         /// The DNS configuration for the container.
@@ -230,6 +232,7 @@ public final class LinuxPod: Sendable {
 
         // Linux toggles
         spec.linux?.sysctl = config.sysctl
+        spec.linux?.seccomp = config.seccomp?.toOCI(effectiveCapabilities: config.process.capabilities.effective)
 
         // If the rootfs was requested as read-only, set it in the OCI spec.
         // We let the OCI runtime remount as ro, instead of doing it originally.