Update seccomp support and logging.
See detailed documentation MR: ecp-ci.gitlab.io!90 (merged)
Extensive updates to the default behaviors and available configurations for seccomp utilization:
- Updated libseccomp-golang library to v0.10.0, this mean libseccomp must be 2.3.1+ moving forward. All CentOS/RHEL 7 deployments should meet this requirement, else seccomp must be disabled.
- Modified default block action behavior to better surface issues and stop the associated thread. If API level is sufficient then offending system call is logged.
- Optional configuration to log all allowed actions. This is envisioned primarily for debug purposes.
- It is possible to disable or enforce
no_new_privs
via configuration even in cases where seccomp is enabled (privileged operation). - The plugin feature is now supported without the need of a feature flag without any breaking changes from initial release.
Related: #139 (closed) (The added documentation will hopefully help, in addition to notes regarding no-longer required default rule).
Closes: #126 (closed)
Edited by Paul Bryant