From ac817ceaf3a1ae99c4771f233fdee089a5819ddc Mon Sep 17 00:00:00 2001
From: Shishir Mahajan <smahajan@roblox.com>
Date: Thu, 27 Aug 2020 15:26:23 -0700
Subject: [PATCH] Add seccomp support.

---
 containerd/containerd.go | 7 +++++++
 containerd/driver.go     | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/containerd/containerd.go b/containerd/containerd.go
index 3f9fad2..1a54b6b 100644
--- a/containerd/containerd.go
+++ b/containerd/containerd.go
@@ -24,6 +24,7 @@ import (
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
+	"github.com/containerd/containerd/contrib/seccomp"
 	"github.com/containerd/containerd/oci"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )
@@ -65,6 +66,12 @@ func (d *Driver) createContainer(image containerd.Image, containerName, containe
 		opts = append(opts, oci.WithPrivileged)
 	}
 
+	// Enable default seccomp profile.
+	// Allowed syscalls for the default seccomp profile: https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go#L51-L390
+	if config.Seccomp {
+		opts = append(opts, seccomp.WithDefaultProfile())
+	}
+
 	// Launch container in read-only mode.
 	if config.ReadOnlyRootfs {
 		opts = append(opts, oci.WithRootFSReadonly())
diff --git a/containerd/driver.go b/containerd/driver.go
index 17157d0..f14a95a 100644
--- a/containerd/driver.go
+++ b/containerd/driver.go
@@ -92,6 +92,7 @@ var (
 		"cap_drop":        hclspec.NewAttr("cap_drop", "list(string)", false),
 		"devices":         hclspec.NewAttr("devices", "list(string)", false),
 		"privileged":      hclspec.NewAttr("privileged", "bool", false),
+		"seccomp":         hclspec.NewAttr("seccomp", "bool", false),
 		"readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false),
 		"host_network":    hclspec.NewAttr("host_network", "bool", false),
 		"mounts": hclspec.NewBlockList("mounts", hclspec.NewObject(map[string]*hclspec.Spec{
@@ -140,6 +141,7 @@ type TaskConfig struct {
 	CapAdd         []string `codec:"cap_add"`
 	CapDrop        []string `codec:"cap_drop"`
 	Devices        []string `codec:"devices"`
+	Seccomp        bool     `codec:"seccomp"`
 	Privileged     bool     `codec:"privileged"`
 	ReadOnlyRootfs bool     `codec:"readonly_rootfs"`
 	HostNetwork    bool     `codec:"host_network"`