Manabu Sugimoto

icon indicating an email [email protected]

icon company @sony icon location Japan icon location System Software Engineer at Sony R&D Center / Containers and Virtualization

Results 13 issues of Manabu Sugimoto

RFC: runtime,agent: Add SELinux support for containers inside the guest

10 comment

Kata containers enable SELinux for containers running inside the guest to improve security. With this feature enabled, `kata-agent` is launched with the `container_runtime_t` type and container processes are launched with...

wip
area/agent
area/runtime
area/osbuilder
area/security
size/large
kernel

RFC | Feature Proposal: Add SELinux support for containers running inside the guest

## Background Mandatory Access Control (MAC) is a key technology for hardening processes by limiting the privilege to the minimum required to work. [Security-Enhanced Linux (SELinux) ](http://www.selinuxproject.org/page/Main_Page) is one of...

feature
needs-review
area/agent
area/runtime
area/osbuilder

Q: SCMP_FLTATR_API_TSKIP does not seem to be used by tracer programs

6 comment

Hello, I have a question about [`SCMP_FLTATR_API_TSKIP`](https://man7.org/linux/man-pages/man3/seccomp_attr_set.3.html) attribute. `SCMP_FLTATR_API_SKIP` has been supported from https://github.com/seccomp/libseccomp/commit/dc879990774b5fe0b5d3362ae592e8a5bb615fbb in order to address the #80 and the man page explains as follows: > A flag...

question
priority/medium
pending/review

Proposal: Add Security Context

2 comment

# OCI Security Context ## Summary * The existing high-level container runtimes (e.g., `containerd`) offer their default Seccomp profiles that are allowlists of system calls to make containers secure. *...

runk: Check runk by oci-runtime tools

3 comment

`runk` should be verified in CI by [OCI runtime-tools](https://github.com/opencontainers/runtime-tools) to check if `runk` is compliant with [OCI runtime spec](https://github.com/opencontainers/runtime-spec). This test will be helpful for verifying Kata agent because `runk`...

enhancement
needs-review

docs: Improve the documentation about how to build the agent with libseccomp

18 comment

Add descriptions about how to build the agent with the libseccomp library to the developer guide. In order to build the agent linked with the libseccomp statically by hand, not...

do-not-merge
size/medium

seccomp: Separate conditions for personality syscall into single rule

1 comment

Separate each syscall condition (argument) for personality syscall into a single rule because the libseccomp can only compare each condition once in a single rule. Otherwise, the adding returns EINVAL...

RFE: add tests for Rust bindings

4 comment

Add the regression tests (1-60) for the libseccomp crate that is Rust language bindings for the libseccomp library. You can run the tests as follows: ```sh $ sed -i "/^AC_INIT/...

enhancement
pending/review

test:cri: Add guest AppArmor support

9 comment

Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the...

size/medium

test:cri: Should test guest AppArmor support

AppArmor support on the guest side will be added to the Kata containers by kata-containers/kata-containers#7587, so let's test the feature in our CI.

enhancement
needs-review