runtimetest: add validateSeccomp

Signed-off-by: Zhou Hao <zhouhao@cn.fujitsu.com>

Author: Zhou Hao

cmd/runtimetest/main.go

@@ -496,6 +496,25 @@ func validateMaskedPaths(spec *rspec.Spec) error {
 	return nil
 }
 
+func validateSeccomp(spec *rspec.Spec) error {
+	if spec.Linux == nil || spec.Linux.Seccomp == nil {
+		return nil
+	}
+	for _, sys := range spec.Linux.Seccomp.Syscalls {
+		if sys.Action == "SCMP_ACT_ERRON" {
+			for _, name := range sys.Names {
+				if name == "getcwd" {
+					_, err := os.Getwd()
+					if err == nil {
+						logrus.Warnf("Syscall action %v can not be properly implemented in the runtime", sys.Action)
+					}
+				}
+			}
+		}
+	}
+	return nil
+}
+
 func validateROPaths(spec *rspec.Spec) error {
 	if spec.Linux == nil {
 		return nil
@@ -775,6 +794,10 @@ func run(context *cli.Context) error {
 			test:        validateOOMScoreAdj,
 			description: "oom score adj",
 		},
+		{
+			test:        validateSeccomp,
+			description: "seccomp",
+		},
 		{
 			test:        validateROPaths,
 			description: "read only paths",

validation/validation_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	"github.com/opencontainers/runtime-tools/generate"
+	"github.com/opencontainers/runtime-tools/generate/seccomp"
 	"github.com/opencontainers/runtime-tools/specerror"
 )
 
@@ -130,6 +131,19 @@ func TestValidateRlimits(t *testing.T) {
 	assert.Nil(t, runtimeInsideValidate(g))
 }
 
+// Test whether seccomp can be applied or not
+func TestValidateSeccomp(t *testing.T) {
+	g := getDefaultGenerator()
+	syscallArgs := seccomp.SyscallOpts{
+		Action:  "errno",
+		Syscall: "getcwd",
+	}
+	g.SetDefaultSeccompAction("allow")
+	g.SetSyscallAction(syscallArgs)
+
+	assert.Nil(t, runtimeInsideValidate(g))
+}
+
 // Test whether sysctls can be applied or not
 func TestValidateSysctls(t *testing.T) {
 	g := getDefaultGenerator()