seccomp: set SPEC_ALLOW by default

If no seccomps flags are set in OCI runtime spec (not even the empty
set), set SPEC_ALLOW as the default (if it's supported).

Otherwise, use the flags as they are set (that includes no flags for
empty seccomp.Flags array).

This mimics the crun behavior, and makes runc seccomp performance on par
with crun.

Signed-off-by: Kir Kolyshkin <[email protected]>

Author: kolyshkin

libcontainer/specconv/spec_linux.go

@@ -1021,12 +1021,22 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
 	newConfig.Syscalls = []*configs.Syscall{}
 
 	// The list of flags defined in runtime-spec is a subset of the flags
-	// in the seccomp() syscall
-	for _, flag := range config.Flags {
-		if err := seccomp.FlagSupported(flag); err != nil {
-			return nil, err
+	// in the seccomp() syscall.
+	if config.Flags == nil {
+		// No flags are set explicitly (not even the empty set);
+		// set the default of specs.LinuxSeccompFlagSpecAllow,
+		// if it is supported by the libseccomp and the kernel.
+		if err := seccomp.FlagSupported(specs.LinuxSeccompFlagSpecAllow); err == nil {
+			newConfig.Flags = []specs.LinuxSeccompFlag{specs.LinuxSeccompFlagSpecAllow}
+		}
+	} else {
+		// Fail early if some flags are unknown or unsupported.
+		for _, flag := range config.Flags {
+			if err := seccomp.FlagSupported(flag); err != nil {
+				return nil, err
+			}
+			newConfig.Flags = append(newConfig.Flags, flag)
 		}
-		newConfig.Flags = append(newConfig.Flags, flag)
 	}
 
 	if len(config.Architectures) > 0 {

tests/integration/seccomp.bats

@@ -80,7 +80,7 @@ function teardown() {
 			}'
 
 	declare -A FLAGS=(
-		['REMOVE']=0 # No setting, use built-in default.
+		['REMOVE']=4 # No setting, use built-in default.
 		['EMPTY']=0  # Empty set of flags.
 		['"SECCOMP_FILTER_FLAG_LOG"']=2
 		['"SECCOMP_FILTER_FLAG_SPEC_ALLOW"']=4