From 32196c8e33181df4aab1e2af55839bdcb5c3edb5 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Tue, 30 Aug 2022 12:05:02 -0700
Subject: [PATCH] seccomp: set SPEC_ALLOW by default

If no seccomps flags are set in OCI runtime spec (not even the empty
set), set SPEC_ALLOW by default. Otherwise, use the flags set.

This mimics the crun behavior, and makes runc seccomp performance on par
with crun.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 9e97ec15843aa99ca16fc0588bd737d7d093e71e)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 libcontainer/specconv/spec_linux.go | 26 ++++++++++++++++----------
 tests/integration/seccomp.bats      |  2 +-
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index e741263b..e44c2a70 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -1018,16 +1018,22 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
 	newConfig := new(configs.Seccomp)
 	newConfig.Syscalls = []*configs.Syscall{}
 
-	// The list of flags defined in runtime-spec is a subset of the flags
-	// in the seccomp() syscall
-	for _, flag := range config.Flags {
-		switch flag {
-		case "SECCOMP_FILTER_FLAG_TSYNC":
-			// Tsync can be silently ignored
-		case specs.LinuxSeccompFlagLog, specs.LinuxSeccompFlagSpecAllow:
-			newConfig.Flags = append(newConfig.Flags, flag)
-		default:
-			return nil, fmt.Errorf("seccomp flag %q not yet supported by runc", flag)
+	if config.Flags == nil {
+		// No flags are set explicitly (not even the empty set);
+		// set the default of specs.LinuxSeccompFlagSpecAllow.
+		newConfig.Flags = []specs.LinuxSeccompFlag{specs.LinuxSeccompFlagSpecAllow}
+	} else {
+		// The list of flags defined in runtime-spec is a subset of the flags
+		// in the seccomp() syscall.
+		for _, flag := range config.Flags {
+			switch flag {
+			case "SECCOMP_FILTER_FLAG_TSYNC":
+				// Tsync can be silently ignored
+			case specs.LinuxSeccompFlagLog, specs.LinuxSeccompFlagSpecAllow:
+				newConfig.Flags = append(newConfig.Flags, flag)
+			default:
+				return nil, fmt.Errorf("seccomp flag %q not yet supported by runc", flag)
+			}
 		}
 	}
 
diff --git a/tests/integration/seccomp.bats b/tests/integration/seccomp.bats
index ba767a1b..031c3f05 100644
--- a/tests/integration/seccomp.bats
+++ b/tests/integration/seccomp.bats
@@ -80,7 +80,7 @@ function teardown() {
 			}'
 
 	declare -A FLAGS=(
-		['REMOVE']=0 # No setting, use built-in default.
+		['REMOVE']=4 # No setting, use built-in default.
 		['EMPTY']=0  # Empty set of flags.
 		['"SECCOMP_FILTER_FLAG_LOG"']=2
 		['"SECCOMP_FILTER_FLAG_SPEC_ALLOW"']=4