Create baseprofiles in CI

Signed-off-by: Sascha Grunert <[email protected]>

.github/workflows/test.yml

@@ -167,3 +167,33 @@ jobs:
         run: |
           $RUN "echo \"export E2E_TEST_FLAKY_TESTS_ONLY=true\" >> /vagrant/hack/ci/env-flatcar.sh"
           $RUN hack/ci/e2e-flatcar-dev-container.sh
+
+  baseprofiles:
+    needs: image
+    runs-on: macos-12
+    timeout-minutes: 90
+    env:
+      RUN: ./hack/ci/run-ubuntu.sh
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0
+        with:
+          path: |
+            ~/.vagrant.d/boxes
+          key: e2e-ubuntu-${{ hashFiles('hack/ci/Vagrantfile-ubuntu') }}
+          restore-keys: e2e-ubuntu-
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
+        with:
+          name: image
+          path: .
+      - name: Boot Virtual Machine
+        run: make vagrant-up-ubuntu
+      - name: Show environment information
+        run: |
+          $RUN kubectl wait --for=condition=ready --timeout=60s node ubuntu2204
+          $RUN kubectl get nodes -o wide
+      - name: Set up git config
+        run: |
+          $RUN git config --global --add safe.directory /vagrant
+      - name: Record baseprofiles
+        run: $RUN hack/ci/baseprofiles.sh

dependencies.yaml

@@ -58,6 +58,8 @@ dependencies:
       match: cert-manager/cert-manager
     - path: hack/ci/e2e-olm.sh
       match: cert-manager/cert-manager
+    - path: hack/ci/baseprofiles.sh
+      match: cert-manager/cert-manager
 
   - name: kind
     version: 0.17.0

examples/baseprofile-crun.yaml

@@ -2,53 +2,62 @@
 apiVersion: security-profiles-operator.x-k8s.io/v1beta1
 kind: SeccompProfile
 metadata:
-  name: crun-v0.20.1
+  name: crun-v1.5
 spec:
   defaultAction: SCMP_ACT_ERRNO
   architectures:
-  - SCMP_ARCH_X86_64
+    - SCMP_ARCH_X86_64
   syscalls:
-  - action: SCMP_ACT_ALLOW
-    names:
-    - access
-    - arch_prctl
-    - brk
-    - capset
-    - chdir
-    - close
-    - close_range
-    - dup2
-    - execve
-    - exit_group
-    - fchdir
-    - fstat
-    - getcwd
-    - getegid
-    - geteuid
-    - getgid
-    - getpid
-    - getppid
-    - getuid
-    - ioctl
-    - lseek
-    - mmap
-    - mount
-    - mprotect
-    - openat
-    - openat2
-    - pivot_root
-    - prctl
-    - read
-    - rt_sigaction
-    - rt_sigprocmask
-    - select
-    - set_tid_address
-    - sethostname
-    - setresgid
-    - setresuid
-    - setsid
-    - stat
-    - statx
-    - umask
-    - umount2
-    - write
+    - action: SCMP_ACT_ALLOW
+      names:
+        - access
+        - arch_prctl
+        - brk
+        - capset
+        - chdir
+        - chmod
+        - chown
+        - close
+        - close_range
+        - dup2
+        - execve
+        - exit_group
+        - fchdir
+        - fchown
+        - fstatfs
+        - getegid
+        - geteuid
+        - getgid
+        - getuid
+        - ioctl
+        - lseek
+        - mkdirat
+        - mknodat
+        - mmap
+        - mount
+        - mprotect
+        - nanosleep
+        - newfstatat
+        - openat
+        - openat2
+        - pivot_root
+        - prctl
+        - pselect6
+        - read
+        - readlink
+        - rt_sigaction
+        - rt_sigprocmask
+        - set_tid_address
+        - setgroups
+        - sethostname
+        - setns
+        - setresgid
+        - setresuid
+        - setsid
+        - statfs
+        - statx
+        - symlinkat
+        - umask
+        - umount2
+        - unshare
+        - write

examples/baseprofile-runc.yaml

@@ -2,56 +2,75 @@
 apiVersion: security-profiles-operator.x-k8s.io/v1beta1
 kind: SeccompProfile
 metadata:
-  name: runc-v1.0.0
+  name: runc-v1.1.4
 spec:
   defaultAction: SCMP_ACT_ERRNO
   architectures:
-  - SCMP_ARCH_X86_64
+    - SCMP_ARCH_X86_64
   syscalls:
-  - action: SCMP_ACT_ALLOW
-    names:
-    - arch_prctl
-    - brk
-    - capget
-    - capset
-    - chdir
-    - close
-    - dup3
-    - epoll_ctl
-    - epoll_pwait
-    - execve
-    - exit_group
-    - fchdir
-    - fchown
-    - fcntl
-    - fstat
-    - fstatfs
-    - futex
-    - getcwd
-    - getdents64
-    - getpid
-    - getppid
-    - getuid
-    - ioctl
-    - mmap
-    - mount
-    - mprotect
-    - nanosleep
-    - newfstatat
-    - openat
-    - pivot_root
-    - prctl
-    - read
-    - rt_sigaction
-    - rt_sigprocmask
-    - rt_sigreturn
-    - set_tid_address
-    - setgid
-    - setgroups
-    - sethostname
-    - setuid
-    - statfs
-    - tgkill
-    - umask
-    - umount2
-    - write
+    - action: SCMP_ACT_ALLOW
+      names:
+        - arch_prctl
+        - brk
+        - capget
+        - capset
+        - chdir
+        - clone
+        - close
+        - dup3
+        - epoll_create1
+        - epoll_ctl
+        - epoll_pwait
+        - execve
+        - exit_group
+        - faccessat2
+        - fchdir
+        - fchmodat
+        - fchownat
+        - fcntl
+        - fstat
+        - fstatfs
+        - futex
+        - getdents64
+        - getpid
+        - getppid
+        - gettid
+        - getuid
+        - keyctl
+        - mkdirat
+        - mknodat
+        - mmap
+        - mount
+        - mprotect
+        - munmap
+        - nanosleep
+        - newfstatat
+        - openat
+        - pipe2
+        - pivot_root
+        - prctl
+        - pread64
+        - read
+        - readlinkat
+        - rt_sigaction
+        - rt_sigprocmask
+        - rt_sigreturn
+        - sched_getaffinity
+        - sched_yield
+        - seccomp
+        - set_robust_list
+        - set_tid_address
+        - setgid
+        - setgroups
+        - sethostname
+        - setsid
+        - setuid
+        - sigaltstack
+        - statfs
+        - symlinkat
+        - tgkill
+        - umask
+        - umount2
+        - unlinkat
+        - unshare
+        - write