`0a4cf06`

runner/config: install pinned seccomp profile

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 3 days ago

SHA: 0a4cf06cd2aa47e618d0a0d00aa89e611b4cd5d6
Parents: 713648d
Tree: b036154

9 changed files

Status	File	+	-
M	`cmd/shithubd-runner/run.go`	31	21
M	`deploy/ansible/roles/shithubd-runner/defaults/main.yml`	3	0
M	`deploy/ansible/roles/shithubd-runner/tasks/main.yml`	9	0
M	`deploy/ansible/roles/shithubd-runner/templates/config.toml.j2`	3	0
A	`deploy/runner-config/README.md`	16	0
A	`deploy/runner-config/seccomp.json`	875	0
M	`deploy/systemd/shithubd-runner.service`	3	2
M	`internal/runner/config/config.go`	33	13
M	`internal/runner/config/config_test.go`	37	3

cmd/shithubd-runner/run.gomodified

  			return err
+ 		}
  		execEngine := engine.NewDocker(engine.DockerConfig{
 -			Binary:       cfg.Engine.Kind,
 -			DefaultImage: cfg.Engine.DefaultImage,
 -			Network:      cfg.Engine.Network,
 -			Memory:       cfg.Engine.Memory,
 -			CPUs:         cfg.Engine.CPUs,
 -			Stdout:       os.Stdout,
 -			Stderr:       os.Stderr,
 +			Binary:         cfg.Engine.Kind,
 +			DefaultImage:   cfg.Engine.DefaultImage,
 +			Network:        cfg.Engine.Network,
 +			Memory:         cfg.Engine.Memory,
 +			CPUs:           cfg.Engine.CPUs,
 +			SeccompProfile: cfg.Engine.SeccompProfile,
 +			User:           cfg.Engine.User,
 +			PidsLimit:      cfg.Engine.PidsLimit,
 +			Stdout:         os.Stdout,
 +			Stderr:         os.Stderr,
 +			Logger:         logger,
  		})
  		r := runnerpkg.New(runnerpkg.Options{
  			API:          client,
  	runCmd.Flags().String("network", "", "Container network")
  	runCmd.Flags().String("memory", "", "Container memory limit")
  	runCmd.Flags().String("cpus", "", "Container CPU limit")
 +	runCmd.Flags().String("seccomp-profile", "", "Container seccomp profile path")
 +	runCmd.Flags().String("container-user", "", "Default container user")
 +	runCmd.Flags().Int("pids-limit", 0, "Container PID limit")
  	runCmd.Flags().String("log-level", "", "Log level: debug, info, warn, error")
  	runCmd.Flags().String("log-format", "", "Log format: text or json")
+ }
  func flagOverrides(cmd *cobra.Command) map[string]string {
  	keys := map[string]string{
 -		"server-url":     "server.base_url",
 -		"token":          "runner.token",
 -		"labels":         "runner.labels",
 -		"capacity":       "runner.capacity",
 -		"poll-interval":  "runner.poll_interval",
 -		"workspace-root": "runner.workspace_root",
 -		"workspace-ttl":  "runner.workspace_ttl",
 -		"engine":         "engine.kind",
 -		"image":          "engine.default_image",
 -		"network":        "engine.network",
 -		"memory":         "engine.memory",
 -		"cpus":           "engine.cpus",
 -		"log-level":      "log.level",
 -		"log-format":     "log.format",
 +		"server-url":      "server.base_url",
 +		"token":           "runner.token",
 +		"labels":          "runner.labels",
 +		"capacity":        "runner.capacity",
 +		"poll-interval":   "runner.poll_interval",
 +		"workspace-root":  "runner.workspace_root",
 +		"workspace-ttl":   "runner.workspace_ttl",
 +		"engine":          "engine.kind",
 +		"image":           "engine.default_image",
 +		"network":         "engine.network",
 +		"memory":          "engine.memory",
 +		"cpus":            "engine.cpus",
 +		"seccomp-profile": "engine.seccomp_profile",
 +		"container-user":  "engine.user",
 +		"pids-limit":      "engine.pids_limit",
 +		"log-level":       "log.level",
 +		"log-format":      "log.format",
+ 	}
  	out := make(map[string]string)
  	cmd.Flags().Visit(func(f *pflag.Flag) {

deploy/ansible/roles/shithubd-runner/defaults/main.ymlmodified

  shithub_runner_network: bridge
  shithub_runner_memory: 2g
  shithub_runner_cpus: "2"
 +shithub_runner_seccomp_profile: /etc/shithubd-runner/seccomp.json
 +shithub_runner_container_user: "65534:65534"
 +shithub_runner_pids_limit: 512
  shithub_runner_log_level: info
  shithub_runner_log_format: text

deploy/ansible/roles/shithubd-runner/tasks/main.ymlmodified

    no_log: true
    notify: restart shithubd-runner
 +- name: Runner seccomp profile
 +  copy:
 +    src: "{{ playbook_dir }}/../runner-config/seccomp.json"
 +    dest: "{{ shithub_runner_seccomp_profile }}"
 +    owner: root
 +    group: shithub-runner
 +    mode: "0640"
 +  notify: restart shithubd-runner
++
  - name: Runner systemd unit
    copy:
      src: "{{ playbook_dir }}/../systemd/shithubd-runner.service"

deploy/ansible/roles/shithubd-runner/templates/config.toml.j2modified

  network = "{{ shithub_runner_network }}"
  memory = "{{ shithub_runner_memory }}"
  cpus = "{{ shithub_runner_cpus }}"
 +seccomp_profile = "{{ shithub_runner_seccomp_profile }}"
 +user = "{{ shithub_runner_container_user }}"
 +pids_limit = {{ shithub_runner_pids_limit }}
  [log]
  level = "{{ shithub_runner_log_level }}"

deploy/runner-config/README.mdadded

 +# Runner config assets
++
 +`seccomp.json` is a pinned copy of Docker/Moby's default seccomp
 +profile. It is copied to `/etc/shithubd-runner/seccomp.json` by the
 +`shithubd-runner` Ansible role and passed to each step container via:
++
 +```sh
 +--security-opt=seccomp=/etc/shithubd-runner/seccomp.json
 +```
++
 +Source: `moby/moby` commit
 +`7d169a7f0ccd8f79edb6ad02ba20025cb487b217`,
 +`vendor/github.com/moby/profiles/seccomp/default.json`.
++
 +Update this file deliberately when changing Docker daemon versions or
 +runner syscall posture.

deploy/runner-config/seccomp.jsonadded

 +{
 +	"defaultAction": "SCMP_ACT_ERRNO",
 +	"defaultErrnoRet": 1,
 +	"archMap": [
 +		{
 +			"architecture": "SCMP_ARCH_X86_64",
 +			"subArchitectures": [
 +				"SCMP_ARCH_X86",
 +				"SCMP_ARCH_X32"
 +			]
 +		},
 +		{
 +			"architecture": "SCMP_ARCH_AARCH64",
 +			"subArchitectures": [
 +				"SCMP_ARCH_ARM"
 +			]
 +		},
 +		{
 +			"architecture": "SCMP_ARCH_MIPS64",
 +			"subArchitectures": [
 +				"SCMP_ARCH_MIPS",
 +				"SCMP_ARCH_MIPS64N32"
 +			]
 +		},
 +		{
 +			"architecture": "SCMP_ARCH_MIPS64N32",
 +			"subArchitectures": [
 +				"SCMP_ARCH_MIPS",
 +				"SCMP_ARCH_MIPS64"
 +			]
 +		},
 +		{
 +			"architecture": "SCMP_ARCH_MIPSEL64",
 +			"subArchitectures": [
 +				"SCMP_ARCH_MIPSEL",
 +				"SCMP_ARCH_MIPSEL64N32"
 +			]
 +		},
 +		{
 +			"architecture": "SCMP_ARCH_MIPSEL64N32",
 +			"subArchitectures": [
 +				"SCMP_ARCH_MIPSEL",
 +				"SCMP_ARCH_MIPSEL64"
 +			]
 +		},
 +		{
 +			"architecture": "SCMP_ARCH_S390X",
 +			"subArchitectures": [
 +				"SCMP_ARCH_S390"
 +			]
 +		},
 +		{
 +			"architecture": "SCMP_ARCH_RISCV64",
 +			"subArchitectures": null
 +		},
 +		{
 +			"architecture": "SCMP_ARCH_LOONGARCH64",
 +			"subArchitectures": null
 +		}
 +	],
 +	"syscalls": [
 +		{
 +			"names": [
 +				"accept",
 +				"accept4",
 +				"access",
 +				"adjtimex",
 +				"alarm",
 +				"bind",
 +				"brk",
 +				"cachestat",
 +				"capget",
 +				"capset",
 +				"chdir",
 +				"chmod",
 +				"chown",
 +				"chown32",
 +				"clock_adjtime",
 +				"clock_adjtime64",
 +				"clock_getres",
 +				"clock_getres_time64",
 +				"clock_gettime",
 +				"clock_gettime64",
 +				"clock_nanosleep",
 +				"clock_nanosleep_time64",
 +				"close",
 +				"close_range",
 +				"connect",
 +				"copy_file_range",
 +				"creat",
 +				"dup",
 +				"dup2",
 +				"dup3",
 +				"epoll_create",
 +				"epoll_create1",
 +				"epoll_ctl",
 +				"epoll_ctl_old",
 +				"epoll_pwait",
 +				"epoll_pwait2",
 +				"epoll_wait",
 +				"epoll_wait_old",
 +				"eventfd",
 +				"eventfd2",
 +				"execve",
 +				"execveat",
 +				"exit",
 +				"exit_group",
 +				"faccessat",
 +				"faccessat2",
 +				"fadvise64",
 +				"fadvise64_64",
 +				"fallocate",
 +				"fanotify_mark",
 +				"fchdir",
 +				"fchmod",
 +				"fchmodat",
 +				"fchmodat2",
 +				"fchown",
 +				"fchown32",
 +				"fchownat",
 +				"fcntl",
 +				"fcntl64",
 +				"fdatasync",
 +				"fgetxattr",
 +				"flistxattr",
 +				"flock",
 +				"fork",
 +				"fremovexattr",
 +				"fsetxattr",
 +				"fstat",
 +				"fstat64",
 +				"fstatat64",
 +				"fstatfs",
 +				"fstatfs64",
 +				"fsync",
 +				"ftruncate",
 +				"ftruncate64",
 +				"futex",
 +				"futex_requeue",
 +				"futex_time64",
 +				"futex_wait",
 +				"futex_waitv",
 +				"futex_wake",
 +				"futimesat",
 +				"getcpu",
 +				"getcwd",
 +				"getdents",
 +				"getdents64",
 +				"getegid",
 +				"getegid32",
 +				"geteuid",
 +				"geteuid32",
 +				"getgid",
 +				"getgid32",
 +				"getgroups",
 +				"getgroups32",
 +				"getitimer",
 +				"getpeername",
 +				"getpgid",
 +				"getpgrp",
 +				"getpid",
 +				"getppid",
 +				"getpriority",
 +				"getrandom",
 +				"getresgid",
 +				"getresgid32",
 +				"getresuid",
 +				"getresuid32",
 +				"getrlimit",
 +				"get_robust_list",
 +				"getrusage",
 +				"getsid",
 +				"getsockname",
 +				"getsockopt",
 +				"get_thread_area",
 +				"gettid",
 +				"gettimeofday",
 +				"getuid",
 +				"getuid32",
 +				"getxattr",
 +				"getxattrat",
 +				"inotify_add_watch",
 +				"inotify_init",
 +				"inotify_init1",
 +				"inotify_rm_watch",
 +				"io_cancel",
 +				"ioctl",
 +				"io_destroy",
 +				"io_getevents",
 +				"io_pgetevents",
 +				"io_pgetevents_time64",
 +				"ioprio_get",
 +				"ioprio_set",
 +				"io_setup",
 +				"io_submit",
 +				"ipc",
 +				"kill",
 +				"landlock_add_rule",
 +				"landlock_create_ruleset",
 +				"landlock_restrict_self",
 +				"lchown",
 +				"lchown32",
 +				"lgetxattr",
 +				"link",
 +				"linkat",
 +				"listen",
 +				"listmount",
 +				"listxattr",
 +				"listxattrat",
 +				"llistxattr",
 +				"_llseek",
 +				"lremovexattr",
 +				"lseek",
 +				"lsetxattr",
 +				"lstat",
 +				"lstat64",
 +				"madvise",
 +				"map_shadow_stack",
 +				"membarrier",
 +				"memfd_create",
 +				"memfd_secret",
 +				"mincore",
 +				"mkdir",
 +				"mkdirat",
 +				"mknod",
 +				"mknodat",
 +				"mlock",
 +				"mlock2",
 +				"mlockall",
 +				"mmap",
 +				"mmap2",
 +				"mprotect",
 +				"mq_getsetattr",
 +				"mq_notify",
 +				"mq_open",
 +				"mq_timedreceive",
 +				"mq_timedreceive_time64",
 +				"mq_timedsend",
 +				"mq_timedsend_time64",
 +				"mq_unlink",
 +				"mremap",
 +				"mseal",
 +				"msgctl",
 +				"msgget",
 +				"msgrcv",
 +				"msgsnd",
 +				"msync",
 +				"munlock",
 +				"munlockall",
 +				"munmap",
 +				"name_to_handle_at",
 +				"nanosleep",
 +				"newfstatat",
 +				"_newselect",
 +				"open",
 +				"openat",
 +				"openat2",
 +				"pause",
 +				"pidfd_open",
 +				"pidfd_send_signal",
 +				"pipe",
 +				"pipe2",
 +				"pkey_alloc",
 +				"pkey_free",
 +				"pkey_mprotect",
 +				"poll",
 +				"ppoll",
 +				"ppoll_time64",
 +				"prctl",
 +				"pread64",
 +				"preadv",
 +				"preadv2",
 +				"prlimit64",
 +				"process_mrelease",
 +				"pselect6",
 +				"pselect6_time64",
 +				"pwrite64",
 +				"pwritev",
 +				"pwritev2",
 +				"read",
 +				"readahead",
 +				"readlink",
 +				"readlinkat",
 +				"readv",
 +				"recv",
 +				"recvfrom",
 +				"recvmmsg",
 +				"recvmmsg_time64",
 +				"recvmsg",
 +				"remap_file_pages",
 +				"removexattr",
 +				"removexattrat",
 +				"rename",
 +				"renameat",
 +				"renameat2",
 +				"restart_syscall",
 +				"riscv_hwprobe",
 +				"rmdir",
 +				"rseq",
 +				"rt_sigaction",
 +				"rt_sigpending",
 +				"rt_sigprocmask",
 +				"rt_sigqueueinfo",
 +				"rt_sigreturn",
 +				"rt_sigsuspend",
 +				"rt_sigtimedwait",
 +				"rt_sigtimedwait_time64",
 +				"rt_tgsigqueueinfo",
 +				"sched_getaffinity",
 +				"sched_getattr",
 +				"sched_getparam",
 +				"sched_get_priority_max",
 +				"sched_get_priority_min",
 +				"sched_getscheduler",
 +				"sched_rr_get_interval",
 +				"sched_rr_get_interval_time64",
 +				"sched_setaffinity",
 +				"sched_setattr",
 +				"sched_setparam",
 +				"sched_setscheduler",
 +				"sched_yield",
 +				"seccomp",
 +				"select",
 +				"semctl",
 +				"semget",
 +				"semop",
 +				"semtimedop",
 +				"semtimedop_time64",
 +				"send",
 +				"sendfile",
 +				"sendfile64",
 +				"sendmmsg",
 +				"sendmsg",
 +				"sendto",
 +				"setfsgid",
 +				"setfsgid32",
 +				"setfsuid",
 +				"setfsuid32",
 +				"setgid",
 +				"setgid32",
 +				"setgroups",
 +				"setgroups32",
 +				"setitimer",
 +				"setpgid",
 +				"setpriority",
 +				"setregid",
 +				"setregid32",
 +				"setresgid",
 +				"setresgid32",
 +				"setresuid",
 +				"setresuid32",
 +				"setreuid",
 +				"setreuid32",
 +				"setrlimit",
 +				"set_robust_list",
 +				"setsid",
 +				"setsockopt",
 +				"set_thread_area",
 +				"set_tid_address",
 +				"setuid",
 +				"setuid32",
 +				"setxattr",
 +				"setxattrat",
 +				"shmat",
 +				"shmctl",
 +				"shmdt",
 +				"shmget",
 +				"shutdown",
 +				"sigaltstack",
 +				"signalfd",
 +				"signalfd4",
 +				"sigprocmask",
 +				"sigreturn",
 +				"socketcall",
 +				"socketpair",
 +				"splice",
 +				"stat",
 +				"stat64",
 +				"statfs",
 +				"statfs64",
 +				"statmount",
 +				"statx",
 +				"symlink",
 +				"symlinkat",
 +				"sync",
 +				"sync_file_range",
 +				"syncfs",
 +				"sysinfo",
 +				"tee",
 +				"tgkill",
 +				"time",
 +				"timer_create",
 +				"timer_delete",
 +				"timer_getoverrun",
 +				"timer_gettime",
 +				"timer_gettime64",
 +				"timer_settime",
 +				"timer_settime64",
 +				"timerfd_create",
 +				"timerfd_gettime",
 +				"timerfd_gettime64",
 +				"timerfd_settime",
 +				"timerfd_settime64",
 +				"times",
 +				"tkill",
 +				"truncate",
 +				"truncate64",
 +				"ugetrlimit",
 +				"umask",
 +				"uname",
 +				"unlink",
 +				"unlinkat",
 +				"uretprobe",
 +				"utime",
 +				"utimensat",
 +				"utimensat_time64",
 +				"utimes",
 +				"vfork",
 +				"vmsplice",
 +				"wait4",
 +				"waitid",
 +				"waitpid",
 +				"write",
 +				"writev"
 +			],
 +			"action": "SCMP_ACT_ALLOW"
 +		},
 +		{
 +			"names": [
 +				"process_vm_readv",
 +				"process_vm_writev",
 +				"ptrace"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"minKernel": "4.8"
 +			}
 +		},
 +		{
 +			"names": [
 +				"socket"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"args": [
 +				{
 +					"index": 0,
 +					"value": 38,
 +					"op": "SCMP_CMP_LT"
 +				}
 +			]
 +		},
 +		{
 +			"names": [
 +				"socket"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"args": [
 +				{
 +					"index": 0,
 +					"value": 39,
 +					"op": "SCMP_CMP_EQ"
 +				}
 +			]
 +		},
 +		{
 +			"names": [
 +				"socket"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"args": [
 +				{
 +					"index": 0,
 +					"value": 40,
 +					"op": "SCMP_CMP_GT"
 +				}
 +			]
 +		},
 +		{
 +			"names": [
 +				"personality"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"args": [
 +				{
 +					"index": 0,
 +					"value": 0,
 +					"op": "SCMP_CMP_EQ"
 +				}
 +			]
 +		},
 +		{
 +			"names": [
 +				"personality"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"args": [
 +				{
 +					"index": 0,
 +					"value": 8,
 +					"op": "SCMP_CMP_EQ"
 +				}
 +			]
 +		},
 +		{
 +			"names": [
 +				"personality"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"args": [
 +				{
 +					"index": 0,
 +					"value": 131072,
 +					"op": "SCMP_CMP_EQ"
 +				}
 +			]
 +		},
 +		{
 +			"names": [
 +				"personality"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"args": [
 +				{
 +					"index": 0,
 +					"value": 131080,
 +					"op": "SCMP_CMP_EQ"
 +				}
 +			]
 +		},
 +		{
 +			"names": [
 +				"personality"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"args": [
 +				{
 +					"index": 0,
 +					"value": 4294967295,
 +					"op": "SCMP_CMP_EQ"
 +				}
 +			]
 +		},
 +		{
 +			"names": [
 +				"sync_file_range2",
 +				"swapcontext"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"arches": [
 +					"ppc64le"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"arm_fadvise64_64",
 +				"arm_sync_file_range",
 +				"sync_file_range2",
 +				"breakpoint",
 +				"cacheflush",
 +				"set_tls"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"arches": [
 +					"arm",
 +					"arm64"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"arch_prctl"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"arches": [
 +					"amd64",
 +					"x32"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"modify_ldt"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"arches": [
 +					"amd64",
 +					"x32",
 +					"x86"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"s390_pci_mmio_read",
 +				"s390_pci_mmio_write",
 +				"s390_runtime_instr"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"arches": [
 +					"s390",
 +					"s390x"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"riscv_flush_icache"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"arches": [
 +					"riscv64"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"open_by_handle_at"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_DAC_READ_SEARCH"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"bpf",
 +				"clone",
 +				"clone3",
 +				"fanotify_init",
 +				"fsconfig",
 +				"fsmount",
 +				"fsopen",
 +				"fspick",
 +				"lookup_dcookie",
 +				"lsm_get_self_attr",
 +				"lsm_list_modules",
 +				"lsm_set_self_attr",
 +				"mount",
 +				"mount_setattr",
 +				"move_mount",
 +				"open_tree",
 +				"perf_event_open",
 +				"quotactl",
 +				"quotactl_fd",
 +				"setdomainname",
 +				"sethostname",
 +				"setns",
 +				"syslog",
 +				"umount",
 +				"umount2",
 +				"unshare"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_SYS_ADMIN"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"clone"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"args": [
 +				{
 +					"index": 0,
 +					"value": 2114060288,
 +					"op": "SCMP_CMP_MASKED_EQ"
 +				}
 +			],
 +			"excludes": {
 +				"caps": [
 +					"CAP_SYS_ADMIN"
 +				],
 +				"arches": [
 +					"s390",
 +					"s390x"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"clone"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"args": [
 +				{
 +					"index": 1,
 +					"value": 2114060288,
 +					"op": "SCMP_CMP_MASKED_EQ"
 +				}
 +			],
 +			"comment": "s390 parameter ordering for clone is different",
 +			"includes": {
 +				"arches": [
 +					"s390",
 +					"s390x"
 +				]
 +			},
 +			"excludes": {
 +				"caps": [
 +					"CAP_SYS_ADMIN"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"clone3"
 +			],
 +			"action": "SCMP_ACT_ERRNO",
 +			"errnoRet": 38,
 +			"excludes": {
 +				"caps": [
 +					"CAP_SYS_ADMIN"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"reboot"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_SYS_BOOT"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"chroot"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_SYS_CHROOT"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"delete_module",
 +				"init_module",
 +				"finit_module"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_SYS_MODULE"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"acct"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_SYS_PACCT"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"kcmp",
 +				"pidfd_getfd",
 +				"process_madvise",
 +				"process_vm_readv",
 +				"process_vm_writev",
 +				"ptrace"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_SYS_PTRACE"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"iopl",
 +				"ioperm"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_SYS_RAWIO"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"settimeofday",
 +				"stime",
 +				"clock_settime",
 +				"clock_settime64"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_SYS_TIME"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"vhangup"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_SYS_TTY_CONFIG"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"get_mempolicy",
 +				"mbind",
 +				"set_mempolicy",
 +				"set_mempolicy_home_node"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_SYS_NICE"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"syslog"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_SYSLOG"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"bpf"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_BPF"
 +				]
 +			}
 +		},
 +		{
 +			"names": [
 +				"perf_event_open"
 +			],
 +			"action": "SCMP_ACT_ALLOW",
 +			"includes": {
 +				"caps": [
 +					"CAP_PERFMON"
 +				]
 +			}
 +		}
 +	]
 +}

deploy/systemd/shithubd-runner.servicemodified

  RestartSec=2
  LimitNOFILE=65535
 -# Docker access is intentionally broad in S41d. S41e narrows network and
 -# secret exposure; until then this unit is only for trusted runner hosts.
 +# Docker socket access still makes the host trusted infrastructure.
 +# Container-level hardening lives in internal/runner/engine/docker.go
 +# and the pinned seccomp profile installed under /etc/shithubd-runner.
  NoNewPrivileges=yes
  ProtectSystem=strict
  ProtectHome=yes

internal/runner/config/config.gomodified

+ )
  const (
 -	DefaultPath  = "/etc/shithubd-runner/config.toml"
 -	EnvPrefix    = "SHITHUB_RUNNER_"
 -	defaultImage = "ghcr.io/shithub/runner-nix:1.0"
 +	DefaultPath            = "/etc/shithubd-runner/config.toml"
 +	EnvPrefix              = "SHITHUB_RUNNER_"
 +	defaultImage           = "ghcr.io/shithub/runner-nix:1.0"
 +	defaultSeccompProfile  = "/etc/shithubd-runner/seccomp.json"
 +	defaultContainerUser   = "65534:65534"
 +	defaultContainerPIDMax = 512
+ )
  // LoadOptions controls config resolution. Zero value uses the default path,
+ }
  type EngineConfig struct {
 -	Kind         string `toml:"kind"`
 -	DefaultImage string `toml:"default_image"`
 -	Network      string `toml:"network"`
 -	Memory       string `toml:"memory"`
 -	CPUs         string `toml:"cpus"`
 +	Kind           string `toml:"kind"`
 +	DefaultImage   string `toml:"default_image"`
 +	Network        string `toml:"network"`
 +	Memory         string `toml:"memory"`
 +	CPUs           string `toml:"cpus"`
 +	SeccompProfile string `toml:"seccomp_profile"`
 +	User           string `toml:"user"`
 +	PidsLimit      int    `toml:"pids_limit"`
+ }
  type LogConfig struct {
  			WorkspaceTTL:  24 * time.Hour,
  		},
  		Engine: EngineConfig{
 -			Kind:         "docker",
 -			DefaultImage: defaultImage,
 -			Network:      "bridge",
 -			Memory:       "2g",
 -			CPUs:         "2",
 +			Kind:           "docker",
 +			DefaultImage:   defaultImage,
 +			Network:        "bridge",
 +			Memory:         "2g",
 +			CPUs:           "2",
 +			SeccompProfile: defaultSeccompProfile,
 +			User:           defaultContainerUser,
 +			PidsLimit:      defaultContainerPIDMax,
  		},
  		Log: LogConfig{
  			Level:  "info",
  	if strings.TrimSpace(c.Engine.CPUs) == "" {
  		return errors.New("runner config: engine.cpus is required")
+ 	}
 +	c.Engine.SeccompProfile = strings.TrimSpace(c.Engine.SeccompProfile)
 +	if c.Engine.SeccompProfile == "" {
 +		return errors.New("runner config: engine.seccomp_profile is required")
 +	}
 +	c.Engine.User = strings.TrimSpace(c.Engine.User)
 +	if c.Engine.User == "" {
 +		return errors.New("runner config: engine.user is required")
 +	}
 +	if c.Engine.PidsLimit <= 0 {
 +		return fmt.Errorf("runner config: engine.pids_limit must be positive, got %d", c.Engine.PidsLimit)
 +	}
  	switch strings.ToLower(c.Log.Level) {
  	case "debug", "info", "warn", "error":

internal/runner/config/config_test.gomodified

  	if cfg.Engine.Kind != "docker" {
  		t.Fatalf("Engine.Kind: %q", cfg.Engine.Kind)
+ 	}
 +	if cfg.Engine.SeccompProfile != "/etc/shithubd-runner/seccomp.json" {
 +		t.Fatalf("Engine.SeccompProfile: %q", cfg.Engine.SeccompProfile)
 +	}
 +	if cfg.Engine.User != "65534:65534" {
 +		t.Fatalf("Engine.User: %q", cfg.Engine.User)
 +	}
 +	if cfg.Engine.PidsLimit != 512 {
 +		t.Fatalf("Engine.PidsLimit: %d", cfg.Engine.PidsLimit)
 +	}
  	if cfg.Runner.PollInterval != 5*time.Second {
  		t.Fatalf("PollInterval: %v", cfg.Runner.PollInterval)
+ 	}
  network = "none"
  memory = "1g"
  cpus = "1"
 +seccomp_profile = "/file/seccomp.json"
 +user = "1000:1000"
 +pids_limit = 64
+ `
  	if err := os.WriteFile(path, []byte(body), 0o600); err != nil {
  		t.Fatalf("WriteFile: %v", err)
  		ConfigPath: path,
  		Environ: []string{
  			"SHITHUB_RUNNER_TOKEN=alias-token",
 +			"SHITHUB_RUNNER_ENGINE__PIDS_LIMIT=256",
  			"SHITHUB_RUNNER_RUNNER__CAPACITY=3",
  			"SHITHUB_RUNNER_RUNNER__LABELS=self-hosted,linux,x64",
  		},
  		Overrides: map[string]string{
 -			"server.base_url":      "https://flag.example/path/",
 -			"runner.capacity":      "4",
 -			"runner.poll_interval": "2s",
 +			"server.base_url":        "https://flag.example/path/",
 +			"runner.capacity":        "4",
 +			"runner.poll_interval":   "2s",
 +			"engine.seccomp_profile": "/flag/seccomp.json",
 +			"engine.user":            "123:456",
  		},
  	})
  	if err != nil {
  	if want := []string{"self-hosted", "linux", "x64"}; !reflect.DeepEqual(cfg.Runner.Labels, want) {
  		t.Fatalf("Labels: got %#v want %#v", cfg.Runner.Labels, want)
+ 	}
 +	if cfg.Engine.SeccompProfile != "/flag/seccomp.json" {
 +		t.Fatalf("SeccompProfile: %q", cfg.Engine.SeccompProfile)
 +	}
 +	if cfg.Engine.User != "123:456" {
 +		t.Fatalf("User: %q", cfg.Engine.User)
 +	}
 +	if cfg.Engine.PidsLimit != 256 {
 +		t.Fatalf("PidsLimit: %d", cfg.Engine.PidsLimit)
 +	}
+ }
  func TestLoad_RequiresToken(t *testing.T) {
  		t.Fatal("Validate returned nil error")
+ 	}
+ }
++
 +func TestValidate_RejectsBadPidsLimit(t *testing.T) {
 +	t.Parallel()
 +	cfg := Defaults()
 +	cfg.Runner.Token = "tok"
 +	cfg.Engine.PidsLimit = 0
 +	if err := Validate(&cfg); err == nil {
 +		t.Fatal("Validate returned nil error")
 +	}
 +}