Browse code
Merge pull request #41471 from thaJeztah/seccomp_rewrite
seccomp: refactor to use runtime-spec types where possible
Sebastiaan van Stijn authored on 2020/09/25 17:56:44Showing 6 changed files
- api/types/seccomp.go
- profiles/seccomp/default.json
- profiles/seccomp/default_linux.go
- profiles/seccomp/seccomp.go
- profiles/seccomp/seccomp_linux.go
- profiles/seccomp/seccomp_unsupported.go
| 1 | 1 |
deleted file mode 100644 |
| ... | ... |
@@ -1,94 +0,0 @@ |
| 1 |
-package types // import "github.com/docker/docker/api/types" |
|
| 2 |
- |
|
| 3 |
-// Seccomp represents the config for a seccomp profile for syscall restriction. |
|
| 4 |
-type Seccomp struct {
|
|
| 5 |
- DefaultAction Action `json:"defaultAction"` |
|
| 6 |
- // Architectures is kept to maintain backward compatibility with the old |
|
| 7 |
- // seccomp profile. |
|
| 8 |
- Architectures []Arch `json:"architectures,omitempty"` |
|
| 9 |
- ArchMap []Architecture `json:"archMap,omitempty"` |
|
| 10 |
- Syscalls []*Syscall `json:"syscalls"` |
|
| 11 |
-} |
|
| 12 |
- |
|
| 13 |
-// Architecture is used to represent a specific architecture |
|
| 14 |
-// and its sub-architectures |
|
| 15 |
-type Architecture struct {
|
|
| 16 |
- Arch Arch `json:"architecture"` |
|
| 17 |
- SubArches []Arch `json:"subArchitectures"` |
|
| 18 |
-} |
|
| 19 |
- |
|
| 20 |
-// Arch used for architectures |
|
| 21 |
-type Arch string |
|
| 22 |
- |
|
| 23 |
-// Additional architectures permitted to be used for system calls |
|
| 24 |
-// By default only the native architecture of the kernel is permitted |
|
| 25 |
-const ( |
|
| 26 |
- ArchX86 Arch = "SCMP_ARCH_X86" |
|
| 27 |
- ArchX86_64 Arch = "SCMP_ARCH_X86_64" |
|
| 28 |
- ArchX32 Arch = "SCMP_ARCH_X32" |
|
| 29 |
- ArchARM Arch = "SCMP_ARCH_ARM" |
|
| 30 |
- ArchAARCH64 Arch = "SCMP_ARCH_AARCH64" |
|
| 31 |
- ArchMIPS Arch = "SCMP_ARCH_MIPS" |
|
| 32 |
- ArchMIPS64 Arch = "SCMP_ARCH_MIPS64" |
|
| 33 |
- ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32" |
|
| 34 |
- ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL" |
|
| 35 |
- ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64" |
|
| 36 |
- ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32" |
|
| 37 |
- ArchPPC Arch = "SCMP_ARCH_PPC" |
|
| 38 |
- ArchPPC64 Arch = "SCMP_ARCH_PPC64" |
|
| 39 |
- ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE" |
|
| 40 |
- ArchS390 Arch = "SCMP_ARCH_S390" |
|
| 41 |
- ArchS390X Arch = "SCMP_ARCH_S390X" |
|
| 42 |
-) |
|
| 43 |
- |
|
| 44 |
-// Action taken upon Seccomp rule match |
|
| 45 |
-type Action string |
|
| 46 |
- |
|
| 47 |
-// Define actions for Seccomp rules |
|
| 48 |
-const ( |
|
| 49 |
- ActKill Action = "SCMP_ACT_KILL" |
|
| 50 |
- ActTrap Action = "SCMP_ACT_TRAP" |
|
| 51 |
- ActErrno Action = "SCMP_ACT_ERRNO" |
|
| 52 |
- ActTrace Action = "SCMP_ACT_TRACE" |
|
| 53 |
- ActAllow Action = "SCMP_ACT_ALLOW" |
|
| 54 |
-) |
|
| 55 |
- |
|
| 56 |
-// Operator used to match syscall arguments in Seccomp |
|
| 57 |
-type Operator string |
|
| 58 |
- |
|
| 59 |
-// Define operators for syscall arguments in Seccomp |
|
| 60 |
-const ( |
|
| 61 |
- OpNotEqual Operator = "SCMP_CMP_NE" |
|
| 62 |
- OpLessThan Operator = "SCMP_CMP_LT" |
|
| 63 |
- OpLessEqual Operator = "SCMP_CMP_LE" |
|
| 64 |
- OpEqualTo Operator = "SCMP_CMP_EQ" |
|
| 65 |
- OpGreaterEqual Operator = "SCMP_CMP_GE" |
|
| 66 |
- OpGreaterThan Operator = "SCMP_CMP_GT" |
|
| 67 |
- OpMaskedEqual Operator = "SCMP_CMP_MASKED_EQ" |
|
| 68 |
-) |
|
| 69 |
- |
|
| 70 |
-// Arg used for matching specific syscall arguments in Seccomp |
|
| 71 |
-type Arg struct {
|
|
| 72 |
- Index uint `json:"index"` |
|
| 73 |
- Value uint64 `json:"value"` |
|
| 74 |
- ValueTwo uint64 `json:"valueTwo"` |
|
| 75 |
- Op Operator `json:"op"` |
|
| 76 |
-} |
|
| 77 |
- |
|
| 78 |
-// Filter is used to conditionally apply Seccomp rules |
|
| 79 |
-type Filter struct {
|
|
| 80 |
- Caps []string `json:"caps,omitempty"` |
|
| 81 |
- Arches []string `json:"arches,omitempty"` |
|
| 82 |
- MinKernel string `json:"minKernel,omitempty"` |
|
| 83 |
-} |
|
| 84 |
- |
|
| 85 |
-// Syscall is used to match a group of syscalls in Seccomp |
|
| 86 |
-type Syscall struct {
|
|
| 87 |
- Name string `json:"name,omitempty"` |
|
| 88 |
- Names []string `json:"names,omitempty"` |
|
| 89 |
- Action Action `json:"action"` |
|
| 90 |
- Args []*Arg `json:"args"` |
|
| 91 |
- Comment string `json:"comment"` |
|
| 92 |
- Includes Filter `json:"includes"` |
|
| 93 |
- Excludes Filter `json:"excludes"` |
|
| 94 |
-} |
| ... | ... |
@@ -416,7 +416,6 @@ |
| 416 | 416 |
{
|
| 417 | 417 |
"index": 0, |
| 418 | 418 |
"value": 0, |
| 419 |
- "valueTwo": 0, |
|
| 420 | 419 |
"op": "SCMP_CMP_EQ" |
| 421 | 420 |
} |
| 422 | 421 |
], |
| ... | ... |
@@ -433,7 +432,6 @@ |
| 433 | 433 |
{
|
| 434 | 434 |
"index": 0, |
| 435 | 435 |
"value": 8, |
| 436 |
- "valueTwo": 0, |
|
| 437 | 436 |
"op": "SCMP_CMP_EQ" |
| 438 | 437 |
} |
| 439 | 438 |
], |
| ... | ... |
@@ -450,7 +448,6 @@ |
| 450 | 450 |
{
|
| 451 | 451 |
"index": 0, |
| 452 | 452 |
"value": 131072, |
| 453 |
- "valueTwo": 0, |
|
| 454 | 453 |
"op": "SCMP_CMP_EQ" |
| 455 | 454 |
} |
| 456 | 455 |
], |
| ... | ... |
@@ -467,7 +464,6 @@ |
| 467 | 467 |
{
|
| 468 | 468 |
"index": 0, |
| 469 | 469 |
"value": 131080, |
| 470 |
- "valueTwo": 0, |
|
| 471 | 470 |
"op": "SCMP_CMP_EQ" |
| 472 | 471 |
} |
| 473 | 472 |
], |
| ... | ... |
@@ -484,7 +480,6 @@ |
| 484 | 484 |
{
|
| 485 | 485 |
"index": 0, |
| 486 | 486 |
"value": 4294967295, |
| 487 |
- "valueTwo": 0, |
|
| 488 | 487 |
"op": "SCMP_CMP_EQ" |
| 489 | 488 |
} |
| 490 | 489 |
], |
| ... | ... |
@@ -625,7 +620,6 @@ |
| 625 | 625 |
{
|
| 626 | 626 |
"index": 0, |
| 627 | 627 |
"value": 2114060288, |
| 628 |
- "valueTwo": 0, |
|
| 629 | 628 |
"op": "SCMP_CMP_MASKED_EQ" |
| 630 | 629 |
} |
| 631 | 630 |
], |
| ... | ... |
@@ -650,7 +644,6 @@ |
| 650 | 650 |
{
|
| 651 | 651 |
"index": 1, |
| 652 | 652 |
"value": 2114060288, |
| 653 |
- "valueTwo": 0, |
|
| 654 | 653 |
"op": "SCMP_CMP_MASKED_EQ" |
| 655 | 654 |
} |
| 656 | 655 |
], |
| ... | ... |
@@ -3,46 +3,46 @@ |
| 3 | 3 |
package seccomp // import "github.com/docker/docker/profiles/seccomp" |
| 4 | 4 |
|
| 5 | 5 |
import ( |
| 6 |
- "github.com/docker/docker/api/types" |
|
| 6 |
+ "github.com/opencontainers/runtime-spec/specs-go" |
|
| 7 | 7 |
"golang.org/x/sys/unix" |
| 8 | 8 |
) |
| 9 | 9 |
|
| 10 |
-func arches() []types.Architecture {
|
|
| 11 |
- return []types.Architecture{
|
|
| 10 |
+func arches() []Architecture {
|
|
| 11 |
+ return []Architecture{
|
|
| 12 | 12 |
{
|
| 13 |
- Arch: types.ArchX86_64, |
|
| 14 |
- SubArches: []types.Arch{types.ArchX86, types.ArchX32},
|
|
| 13 |
+ Arch: specs.ArchX86_64, |
|
| 14 |
+ SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32},
|
|
| 15 | 15 |
}, |
| 16 | 16 |
{
|
| 17 |
- Arch: types.ArchAARCH64, |
|
| 18 |
- SubArches: []types.Arch{types.ArchARM},
|
|
| 17 |
+ Arch: specs.ArchAARCH64, |
|
| 18 |
+ SubArches: []specs.Arch{specs.ArchARM},
|
|
| 19 | 19 |
}, |
| 20 | 20 |
{
|
| 21 |
- Arch: types.ArchMIPS64, |
|
| 22 |
- SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32},
|
|
| 21 |
+ Arch: specs.ArchMIPS64, |
|
| 22 |
+ SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32},
|
|
| 23 | 23 |
}, |
| 24 | 24 |
{
|
| 25 |
- Arch: types.ArchMIPS64N32, |
|
| 26 |
- SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64},
|
|
| 25 |
+ Arch: specs.ArchMIPS64N32, |
|
| 26 |
+ SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64},
|
|
| 27 | 27 |
}, |
| 28 | 28 |
{
|
| 29 |
- Arch: types.ArchMIPSEL64, |
|
| 30 |
- SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32},
|
|
| 29 |
+ Arch: specs.ArchMIPSEL64, |
|
| 30 |
+ SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32},
|
|
| 31 | 31 |
}, |
| 32 | 32 |
{
|
| 33 |
- Arch: types.ArchMIPSEL64N32, |
|
| 34 |
- SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64},
|
|
| 33 |
+ Arch: specs.ArchMIPSEL64N32, |
|
| 34 |
+ SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64},
|
|
| 35 | 35 |
}, |
| 36 | 36 |
{
|
| 37 |
- Arch: types.ArchS390X, |
|
| 38 |
- SubArches: []types.Arch{types.ArchS390},
|
|
| 37 |
+ Arch: specs.ArchS390X, |
|
| 38 |
+ SubArches: []specs.Arch{specs.ArchS390},
|
|
| 39 | 39 |
}, |
| 40 | 40 |
} |
| 41 | 41 |
} |
| 42 | 42 |
|
| 43 | 43 |
// DefaultProfile defines the allowed syscalls for the default seccomp profile. |
| 44 |
-func DefaultProfile() *types.Seccomp {
|
|
| 45 |
- syscalls := []*types.Syscall{
|
|
| 44 |
+func DefaultProfile() *Seccomp {
|
|
| 45 |
+ syscalls := []*Syscall{
|
|
| 46 | 46 |
{
|
| 47 | 47 |
Names: []string{
|
| 48 | 48 |
"accept", |
| ... | ... |
@@ -382,68 +382,68 @@ func DefaultProfile() *types.Seccomp {
|
| 382 | 382 |
"write", |
| 383 | 383 |
"writev", |
| 384 | 384 |
}, |
| 385 |
- Action: types.ActAllow, |
|
| 386 |
- Args: []*types.Arg{},
|
|
| 385 |
+ Action: specs.ActAllow, |
|
| 386 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 387 | 387 |
}, |
| 388 | 388 |
{
|
| 389 | 389 |
Names: []string{"ptrace"},
|
| 390 |
- Action: types.ActAllow, |
|
| 391 |
- Includes: types.Filter{
|
|
| 390 |
+ Action: specs.ActAllow, |
|
| 391 |
+ Includes: Filter{
|
|
| 392 | 392 |
MinKernel: "4.8", |
| 393 | 393 |
}, |
| 394 | 394 |
}, |
| 395 | 395 |
{
|
| 396 | 396 |
Names: []string{"personality"},
|
| 397 |
- Action: types.ActAllow, |
|
| 398 |
- Args: []*types.Arg{
|
|
| 397 |
+ Action: specs.ActAllow, |
|
| 398 |
+ Args: []*specs.LinuxSeccompArg{
|
|
| 399 | 399 |
{
|
| 400 | 400 |
Index: 0, |
| 401 | 401 |
Value: 0x0, |
| 402 |
- Op: types.OpEqualTo, |
|
| 402 |
+ Op: specs.OpEqualTo, |
|
| 403 | 403 |
}, |
| 404 | 404 |
}, |
| 405 | 405 |
}, |
| 406 | 406 |
{
|
| 407 | 407 |
Names: []string{"personality"},
|
| 408 |
- Action: types.ActAllow, |
|
| 409 |
- Args: []*types.Arg{
|
|
| 408 |
+ Action: specs.ActAllow, |
|
| 409 |
+ Args: []*specs.LinuxSeccompArg{
|
|
| 410 | 410 |
{
|
| 411 | 411 |
Index: 0, |
| 412 | 412 |
Value: 0x0008, |
| 413 |
- Op: types.OpEqualTo, |
|
| 413 |
+ Op: specs.OpEqualTo, |
|
| 414 | 414 |
}, |
| 415 | 415 |
}, |
| 416 | 416 |
}, |
| 417 | 417 |
{
|
| 418 | 418 |
Names: []string{"personality"},
|
| 419 |
- Action: types.ActAllow, |
|
| 420 |
- Args: []*types.Arg{
|
|
| 419 |
+ Action: specs.ActAllow, |
|
| 420 |
+ Args: []*specs.LinuxSeccompArg{
|
|
| 421 | 421 |
{
|
| 422 | 422 |
Index: 0, |
| 423 | 423 |
Value: 0x20000, |
| 424 |
- Op: types.OpEqualTo, |
|
| 424 |
+ Op: specs.OpEqualTo, |
|
| 425 | 425 |
}, |
| 426 | 426 |
}, |
| 427 | 427 |
}, |
| 428 | 428 |
{
|
| 429 | 429 |
Names: []string{"personality"},
|
| 430 |
- Action: types.ActAllow, |
|
| 431 |
- Args: []*types.Arg{
|
|
| 430 |
+ Action: specs.ActAllow, |
|
| 431 |
+ Args: []*specs.LinuxSeccompArg{
|
|
| 432 | 432 |
{
|
| 433 | 433 |
Index: 0, |
| 434 | 434 |
Value: 0x20008, |
| 435 |
- Op: types.OpEqualTo, |
|
| 435 |
+ Op: specs.OpEqualTo, |
|
| 436 | 436 |
}, |
| 437 | 437 |
}, |
| 438 | 438 |
}, |
| 439 | 439 |
{
|
| 440 | 440 |
Names: []string{"personality"},
|
| 441 |
- Action: types.ActAllow, |
|
| 442 |
- Args: []*types.Arg{
|
|
| 441 |
+ Action: specs.ActAllow, |
|
| 442 |
+ Args: []*specs.LinuxSeccompArg{
|
|
| 443 | 443 |
{
|
| 444 | 444 |
Index: 0, |
| 445 | 445 |
Value: 0xffffffff, |
| 446 |
- Op: types.OpEqualTo, |
|
| 446 |
+ Op: specs.OpEqualTo, |
|
| 447 | 447 |
}, |
| 448 | 448 |
}, |
| 449 | 449 |
}, |
| ... | ... |
@@ -451,9 +451,9 @@ func DefaultProfile() *types.Seccomp {
|
| 451 | 451 |
Names: []string{
|
| 452 | 452 |
"sync_file_range2", |
| 453 | 453 |
}, |
| 454 |
- Action: types.ActAllow, |
|
| 455 |
- Args: []*types.Arg{},
|
|
| 456 |
- Includes: types.Filter{
|
|
| 454 |
+ Action: specs.ActAllow, |
|
| 455 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 456 |
+ Includes: Filter{
|
|
| 457 | 457 |
Arches: []string{"ppc64le"},
|
| 458 | 458 |
}, |
| 459 | 459 |
}, |
| ... | ... |
@@ -466,9 +466,9 @@ func DefaultProfile() *types.Seccomp {
|
| 466 | 466 |
"cacheflush", |
| 467 | 467 |
"set_tls", |
| 468 | 468 |
}, |
| 469 |
- Action: types.ActAllow, |
|
| 470 |
- Args: []*types.Arg{},
|
|
| 471 |
- Includes: types.Filter{
|
|
| 469 |
+ Action: specs.ActAllow, |
|
| 470 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 471 |
+ Includes: Filter{
|
|
| 472 | 472 |
Arches: []string{"arm", "arm64"},
|
| 473 | 473 |
}, |
| 474 | 474 |
}, |
| ... | ... |
@@ -476,9 +476,9 @@ func DefaultProfile() *types.Seccomp {
|
| 476 | 476 |
Names: []string{
|
| 477 | 477 |
"arch_prctl", |
| 478 | 478 |
}, |
| 479 |
- Action: types.ActAllow, |
|
| 480 |
- Args: []*types.Arg{},
|
|
| 481 |
- Includes: types.Filter{
|
|
| 479 |
+ Action: specs.ActAllow, |
|
| 480 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 481 |
+ Includes: Filter{
|
|
| 482 | 482 |
Arches: []string{"amd64", "x32"},
|
| 483 | 483 |
}, |
| 484 | 484 |
}, |
| ... | ... |
@@ -486,9 +486,9 @@ func DefaultProfile() *types.Seccomp {
|
| 486 | 486 |
Names: []string{
|
| 487 | 487 |
"modify_ldt", |
| 488 | 488 |
}, |
| 489 |
- Action: types.ActAllow, |
|
| 490 |
- Args: []*types.Arg{},
|
|
| 491 |
- Includes: types.Filter{
|
|
| 489 |
+ Action: specs.ActAllow, |
|
| 490 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 491 |
+ Includes: Filter{
|
|
| 492 | 492 |
Arches: []string{"amd64", "x32", "x86"},
|
| 493 | 493 |
}, |
| 494 | 494 |
}, |
| ... | ... |
@@ -498,9 +498,9 @@ func DefaultProfile() *types.Seccomp {
|
| 498 | 498 |
"s390_pci_mmio_write", |
| 499 | 499 |
"s390_runtime_instr", |
| 500 | 500 |
}, |
| 501 |
- Action: types.ActAllow, |
|
| 502 |
- Args: []*types.Arg{},
|
|
| 503 |
- Includes: types.Filter{
|
|
| 501 |
+ Action: specs.ActAllow, |
|
| 502 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 503 |
+ Includes: Filter{
|
|
| 504 | 504 |
Arches: []string{"s390", "s390x"},
|
| 505 | 505 |
}, |
| 506 | 506 |
}, |
| ... | ... |
@@ -508,9 +508,9 @@ func DefaultProfile() *types.Seccomp {
|
| 508 | 508 |
Names: []string{
|
| 509 | 509 |
"open_by_handle_at", |
| 510 | 510 |
}, |
| 511 |
- Action: types.ActAllow, |
|
| 512 |
- Args: []*types.Arg{},
|
|
| 513 |
- Includes: types.Filter{
|
|
| 511 |
+ Action: specs.ActAllow, |
|
| 512 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 513 |
+ Includes: Filter{
|
|
| 514 | 514 |
Caps: []string{"CAP_DAC_READ_SEARCH"},
|
| 515 | 515 |
}, |
| 516 | 516 |
}, |
| ... | ... |
@@ -532,9 +532,9 @@ func DefaultProfile() *types.Seccomp {
|
| 532 | 532 |
"umount2", |
| 533 | 533 |
"unshare", |
| 534 | 534 |
}, |
| 535 |
- Action: types.ActAllow, |
|
| 536 |
- Args: []*types.Arg{},
|
|
| 537 |
- Includes: types.Filter{
|
|
| 535 |
+ Action: specs.ActAllow, |
|
| 536 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 537 |
+ Includes: Filter{
|
|
| 538 | 538 |
Caps: []string{"CAP_SYS_ADMIN"},
|
| 539 | 539 |
}, |
| 540 | 540 |
}, |
| ... | ... |
@@ -542,16 +542,16 @@ func DefaultProfile() *types.Seccomp {
|
| 542 | 542 |
Names: []string{
|
| 543 | 543 |
"clone", |
| 544 | 544 |
}, |
| 545 |
- Action: types.ActAllow, |
|
| 546 |
- Args: []*types.Arg{
|
|
| 545 |
+ Action: specs.ActAllow, |
|
| 546 |
+ Args: []*specs.LinuxSeccompArg{
|
|
| 547 | 547 |
{
|
| 548 | 548 |
Index: 0, |
| 549 | 549 |
Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, |
| 550 | 550 |
ValueTwo: 0, |
| 551 |
- Op: types.OpMaskedEqual, |
|
| 551 |
+ Op: specs.OpMaskedEqual, |
|
| 552 | 552 |
}, |
| 553 | 553 |
}, |
| 554 |
- Excludes: types.Filter{
|
|
| 554 |
+ Excludes: Filter{
|
|
| 555 | 555 |
Caps: []string{"CAP_SYS_ADMIN"},
|
| 556 | 556 |
Arches: []string{"s390", "s390x"},
|
| 557 | 557 |
}, |
| ... | ... |
@@ -560,20 +560,20 @@ func DefaultProfile() *types.Seccomp {
|
| 560 | 560 |
Names: []string{
|
| 561 | 561 |
"clone", |
| 562 | 562 |
}, |
| 563 |
- Action: types.ActAllow, |
|
| 564 |
- Args: []*types.Arg{
|
|
| 563 |
+ Action: specs.ActAllow, |
|
| 564 |
+ Args: []*specs.LinuxSeccompArg{
|
|
| 565 | 565 |
{
|
| 566 | 566 |
Index: 1, |
| 567 | 567 |
Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, |
| 568 | 568 |
ValueTwo: 0, |
| 569 |
- Op: types.OpMaskedEqual, |
|
| 569 |
+ Op: specs.OpMaskedEqual, |
|
| 570 | 570 |
}, |
| 571 | 571 |
}, |
| 572 | 572 |
Comment: "s390 parameter ordering for clone is different", |
| 573 |
- Includes: types.Filter{
|
|
| 573 |
+ Includes: Filter{
|
|
| 574 | 574 |
Arches: []string{"s390", "s390x"},
|
| 575 | 575 |
}, |
| 576 |
- Excludes: types.Filter{
|
|
| 576 |
+ Excludes: Filter{
|
|
| 577 | 577 |
Caps: []string{"CAP_SYS_ADMIN"},
|
| 578 | 578 |
}, |
| 579 | 579 |
}, |
| ... | ... |
@@ -581,9 +581,9 @@ func DefaultProfile() *types.Seccomp {
|
| 581 | 581 |
Names: []string{
|
| 582 | 582 |
"reboot", |
| 583 | 583 |
}, |
| 584 |
- Action: types.ActAllow, |
|
| 585 |
- Args: []*types.Arg{},
|
|
| 586 |
- Includes: types.Filter{
|
|
| 584 |
+ Action: specs.ActAllow, |
|
| 585 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 586 |
+ Includes: Filter{
|
|
| 587 | 587 |
Caps: []string{"CAP_SYS_BOOT"},
|
| 588 | 588 |
}, |
| 589 | 589 |
}, |
| ... | ... |
@@ -591,9 +591,9 @@ func DefaultProfile() *types.Seccomp {
|
| 591 | 591 |
Names: []string{
|
| 592 | 592 |
"chroot", |
| 593 | 593 |
}, |
| 594 |
- Action: types.ActAllow, |
|
| 595 |
- Args: []*types.Arg{},
|
|
| 596 |
- Includes: types.Filter{
|
|
| 594 |
+ Action: specs.ActAllow, |
|
| 595 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 596 |
+ Includes: Filter{
|
|
| 597 | 597 |
Caps: []string{"CAP_SYS_CHROOT"},
|
| 598 | 598 |
}, |
| 599 | 599 |
}, |
| ... | ... |
@@ -603,9 +603,9 @@ func DefaultProfile() *types.Seccomp {
|
| 603 | 603 |
"init_module", |
| 604 | 604 |
"finit_module", |
| 605 | 605 |
}, |
| 606 |
- Action: types.ActAllow, |
|
| 607 |
- Args: []*types.Arg{},
|
|
| 608 |
- Includes: types.Filter{
|
|
| 606 |
+ Action: specs.ActAllow, |
|
| 607 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 608 |
+ Includes: Filter{
|
|
| 609 | 609 |
Caps: []string{"CAP_SYS_MODULE"},
|
| 610 | 610 |
}, |
| 611 | 611 |
}, |
| ... | ... |
@@ -613,9 +613,9 @@ func DefaultProfile() *types.Seccomp {
|
| 613 | 613 |
Names: []string{
|
| 614 | 614 |
"acct", |
| 615 | 615 |
}, |
| 616 |
- Action: types.ActAllow, |
|
| 617 |
- Args: []*types.Arg{},
|
|
| 618 |
- Includes: types.Filter{
|
|
| 616 |
+ Action: specs.ActAllow, |
|
| 617 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 618 |
+ Includes: Filter{
|
|
| 619 | 619 |
Caps: []string{"CAP_SYS_PACCT"},
|
| 620 | 620 |
}, |
| 621 | 621 |
}, |
| ... | ... |
@@ -626,9 +626,9 @@ func DefaultProfile() *types.Seccomp {
|
| 626 | 626 |
"process_vm_writev", |
| 627 | 627 |
"ptrace", |
| 628 | 628 |
}, |
| 629 |
- Action: types.ActAllow, |
|
| 630 |
- Args: []*types.Arg{},
|
|
| 631 |
- Includes: types.Filter{
|
|
| 629 |
+ Action: specs.ActAllow, |
|
| 630 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 631 |
+ Includes: Filter{
|
|
| 632 | 632 |
Caps: []string{"CAP_SYS_PTRACE"},
|
| 633 | 633 |
}, |
| 634 | 634 |
}, |
| ... | ... |
@@ -637,9 +637,9 @@ func DefaultProfile() *types.Seccomp {
|
| 637 | 637 |
"iopl", |
| 638 | 638 |
"ioperm", |
| 639 | 639 |
}, |
| 640 |
- Action: types.ActAllow, |
|
| 641 |
- Args: []*types.Arg{},
|
|
| 642 |
- Includes: types.Filter{
|
|
| 640 |
+ Action: specs.ActAllow, |
|
| 641 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 642 |
+ Includes: Filter{
|
|
| 643 | 643 |
Caps: []string{"CAP_SYS_RAWIO"},
|
| 644 | 644 |
}, |
| 645 | 645 |
}, |
| ... | ... |
@@ -649,9 +649,9 @@ func DefaultProfile() *types.Seccomp {
|
| 649 | 649 |
"stime", |
| 650 | 650 |
"clock_settime", |
| 651 | 651 |
}, |
| 652 |
- Action: types.ActAllow, |
|
| 653 |
- Args: []*types.Arg{},
|
|
| 654 |
- Includes: types.Filter{
|
|
| 652 |
+ Action: specs.ActAllow, |
|
| 653 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 654 |
+ Includes: Filter{
|
|
| 655 | 655 |
Caps: []string{"CAP_SYS_TIME"},
|
| 656 | 656 |
}, |
| 657 | 657 |
}, |
| ... | ... |
@@ -659,9 +659,9 @@ func DefaultProfile() *types.Seccomp {
|
| 659 | 659 |
Names: []string{
|
| 660 | 660 |
"vhangup", |
| 661 | 661 |
}, |
| 662 |
- Action: types.ActAllow, |
|
| 663 |
- Args: []*types.Arg{},
|
|
| 664 |
- Includes: types.Filter{
|
|
| 662 |
+ Action: specs.ActAllow, |
|
| 663 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 664 |
+ Includes: Filter{
|
|
| 665 | 665 |
Caps: []string{"CAP_SYS_TTY_CONFIG"},
|
| 666 | 666 |
}, |
| 667 | 667 |
}, |
| ... | ... |
@@ -671,9 +671,9 @@ func DefaultProfile() *types.Seccomp {
|
| 671 | 671 |
"mbind", |
| 672 | 672 |
"set_mempolicy", |
| 673 | 673 |
}, |
| 674 |
- Action: types.ActAllow, |
|
| 675 |
- Args: []*types.Arg{},
|
|
| 676 |
- Includes: types.Filter{
|
|
| 674 |
+ Action: specs.ActAllow, |
|
| 675 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 676 |
+ Includes: Filter{
|
|
| 677 | 677 |
Caps: []string{"CAP_SYS_NICE"},
|
| 678 | 678 |
}, |
| 679 | 679 |
}, |
| ... | ... |
@@ -681,16 +681,16 @@ func DefaultProfile() *types.Seccomp {
|
| 681 | 681 |
Names: []string{
|
| 682 | 682 |
"syslog", |
| 683 | 683 |
}, |
| 684 |
- Action: types.ActAllow, |
|
| 685 |
- Args: []*types.Arg{},
|
|
| 686 |
- Includes: types.Filter{
|
|
| 684 |
+ Action: specs.ActAllow, |
|
| 685 |
+ Args: []*specs.LinuxSeccompArg{},
|
|
| 686 |
+ Includes: Filter{
|
|
| 687 | 687 |
Caps: []string{"CAP_SYSLOG"},
|
| 688 | 688 |
}, |
| 689 | 689 |
}, |
| 690 | 690 |
} |
| 691 | 691 |
|
| 692 |
- return &types.Seccomp{
|
|
| 693 |
- DefaultAction: types.ActErrno, |
|
| 692 |
+ return &Seccomp{
|
|
| 693 |
+ DefaultAction: specs.ActErrno, |
|
| 694 | 694 |
ArchMap: arches(), |
| 695 | 695 |
Syscalls: syscalls, |
| 696 | 696 |
} |
| 697 | 697 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,38 @@ |
| 0 |
+package seccomp // import "github.com/docker/docker/profiles/seccomp" |
|
| 1 |
+ |
|
| 2 |
+import "github.com/opencontainers/runtime-spec/specs-go" |
|
| 3 |
+ |
|
| 4 |
+// Seccomp represents the config for a seccomp profile for syscall restriction. |
|
| 5 |
+type Seccomp struct {
|
|
| 6 |
+ DefaultAction specs.LinuxSeccompAction `json:"defaultAction"` |
|
| 7 |
+ // Architectures is kept to maintain backward compatibility with the old |
|
| 8 |
+ // seccomp profile. |
|
| 9 |
+ Architectures []specs.Arch `json:"architectures,omitempty"` |
|
| 10 |
+ ArchMap []Architecture `json:"archMap,omitempty"` |
|
| 11 |
+ Syscalls []*Syscall `json:"syscalls"` |
|
| 12 |
+} |
|
| 13 |
+ |
|
| 14 |
+// Architecture is used to represent a specific architecture |
|
| 15 |
+// and its sub-architectures |
|
| 16 |
+type Architecture struct {
|
|
| 17 |
+ Arch specs.Arch `json:"architecture"` |
|
| 18 |
+ SubArches []specs.Arch `json:"subArchitectures"` |
|
| 19 |
+} |
|
| 20 |
+ |
|
| 21 |
+// Filter is used to conditionally apply Seccomp rules |
|
| 22 |
+type Filter struct {
|
|
| 23 |
+ Caps []string `json:"caps,omitempty"` |
|
| 24 |
+ Arches []string `json:"arches,omitempty"` |
|
| 25 |
+ MinKernel string `json:"minKernel,omitempty"` |
|
| 26 |
+} |
|
| 27 |
+ |
|
| 28 |
+// Syscall is used to match a group of syscalls in Seccomp |
|
| 29 |
+type Syscall struct {
|
|
| 30 |
+ Name string `json:"name,omitempty"` |
|
| 31 |
+ Names []string `json:"names,omitempty"` |
|
| 32 |
+ Action specs.LinuxSeccompAction `json:"action"` |
|
| 33 |
+ Args []*specs.LinuxSeccompArg `json:"args"` |
|
| 34 |
+ Comment string `json:"comment"` |
|
| 35 |
+ Includes Filter `json:"includes"` |
|
| 36 |
+ Excludes Filter `json:"excludes"` |
|
| 37 |
+} |
| ... | ... |
@@ -8,7 +8,6 @@ import ( |
| 8 | 8 |
"fmt" |
| 9 | 9 |
"runtime" |
| 10 | 10 |
|
| 11 |
- "github.com/docker/docker/api/types" |
|
| 12 | 11 |
"github.com/docker/docker/pkg/parsers/kernel" |
| 13 | 12 |
specs "github.com/opencontainers/runtime-spec/specs-go" |
| 14 | 13 |
) |
| ... | ... |
@@ -20,7 +19,7 @@ func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
|
| 20 | 20 |
|
| 21 | 21 |
// LoadProfile takes a json string and decodes the seccomp profile. |
| 22 | 22 |
func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
|
| 23 |
- var config types.Seccomp |
|
| 23 |
+ var config Seccomp |
|
| 24 | 24 |
if err := json.Unmarshal([]byte(body), &config); err != nil {
|
| 25 | 25 |
return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)
|
| 26 | 26 |
} |
| ... | ... |
@@ -28,21 +27,21 @@ func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
|
| 28 | 28 |
} |
| 29 | 29 |
|
| 30 | 30 |
// libseccomp string => seccomp arch |
| 31 |
-var nativeToSeccomp = map[string]types.Arch{
|
|
| 32 |
- "x86": types.ArchX86, |
|
| 33 |
- "amd64": types.ArchX86_64, |
|
| 34 |
- "arm": types.ArchARM, |
|
| 35 |
- "arm64": types.ArchAARCH64, |
|
| 36 |
- "mips64": types.ArchMIPS64, |
|
| 37 |
- "mips64n32": types.ArchMIPS64N32, |
|
| 38 |
- "mipsel64": types.ArchMIPSEL64, |
|
| 39 |
- "mips3l64n32": types.ArchMIPSEL64N32, |
|
| 40 |
- "mipsle": types.ArchMIPSEL, |
|
| 41 |
- "ppc": types.ArchPPC, |
|
| 42 |
- "ppc64": types.ArchPPC64, |
|
| 43 |
- "ppc64le": types.ArchPPC64LE, |
|
| 44 |
- "s390": types.ArchS390, |
|
| 45 |
- "s390x": types.ArchS390X, |
|
| 31 |
+var nativeToSeccomp = map[string]specs.Arch{
|
|
| 32 |
+ "x86": specs.ArchX86, |
|
| 33 |
+ "amd64": specs.ArchX86_64, |
|
| 34 |
+ "arm": specs.ArchARM, |
|
| 35 |
+ "arm64": specs.ArchAARCH64, |
|
| 36 |
+ "mips64": specs.ArchMIPS64, |
|
| 37 |
+ "mips64n32": specs.ArchMIPS64N32, |
|
| 38 |
+ "mipsel64": specs.ArchMIPSEL64, |
|
| 39 |
+ "mips3l64n32": specs.ArchMIPSEL64N32, |
|
| 40 |
+ "mipsle": specs.ArchMIPSEL, |
|
| 41 |
+ "ppc": specs.ArchPPC, |
|
| 42 |
+ "ppc64": specs.ArchPPC64, |
|
| 43 |
+ "ppc64le": specs.ArchPPC64LE, |
|
| 44 |
+ "s390": specs.ArchS390, |
|
| 45 |
+ "s390x": specs.ArchS390X, |
|
| 46 | 46 |
} |
| 47 | 47 |
|
| 48 | 48 |
// GOARCH => libseccomp string |
| ... | ... |
@@ -74,7 +73,7 @@ func inSlice(slice []string, s string) bool {
|
| 74 | 74 |
return false |
| 75 | 75 |
} |
| 76 | 76 |
|
| 77 |
-func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
|
|
| 77 |
+func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
|
|
| 78 | 78 |
if config == nil {
|
| 79 | 79 |
return nil, nil |
| 80 | 80 |
} |
| ... | ... |
@@ -92,9 +91,7 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e |
| 92 | 92 |
|
| 93 | 93 |
// if config.Architectures == 0 then libseccomp will figure out the architecture to use |
| 94 | 94 |
if len(config.Architectures) != 0 {
|
| 95 |
- for _, a := range config.Architectures {
|
|
| 96 |
- newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a)) |
|
| 97 |
- } |
|
| 95 |
+ newConfig.Architectures = config.Architectures |
|
| 98 | 96 |
} |
| 99 | 97 |
|
| 100 | 98 |
arch := goToNative[runtime.GOARCH] |
| ... | ... |
@@ -103,16 +100,14 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e |
| 103 | 103 |
if len(config.ArchMap) != 0 && archExists {
|
| 104 | 104 |
for _, a := range config.ArchMap {
|
| 105 | 105 |
if a.Arch == seccompArch {
|
| 106 |
- newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch)) |
|
| 107 |
- for _, sa := range a.SubArches {
|
|
| 108 |
- newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa)) |
|
| 109 |
- } |
|
| 106 |
+ newConfig.Architectures = append(newConfig.Architectures, a.Arch) |
|
| 107 |
+ newConfig.Architectures = append(newConfig.Architectures, a.SubArches...) |
|
| 110 | 108 |
break |
| 111 | 109 |
} |
| 112 | 110 |
} |
| 113 | 111 |
} |
| 114 | 112 |
|
| 115 |
- newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction) |
|
| 113 |
+ newConfig.DefaultAction = config.DefaultAction |
|
| 116 | 114 |
|
| 117 | 115 |
Loop: |
| 118 | 116 |
// Loop through all syscall blocks and convert them to libcontainer format after filtering them |
| ... | ... |
@@ -170,22 +165,15 @@ Loop: |
| 170 | 170 |
return newConfig, nil |
| 171 | 171 |
} |
| 172 | 172 |
|
| 173 |
-func createSpecsSyscall(names []string, action types.Action, args []*types.Arg) specs.LinuxSyscall {
|
|
| 173 |
+func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall {
|
|
| 174 | 174 |
newCall := specs.LinuxSyscall{
|
| 175 | 175 |
Names: names, |
| 176 |
- Action: specs.LinuxSeccompAction(action), |
|
| 176 |
+ Action: action, |
|
| 177 | 177 |
} |
| 178 | 178 |
|
| 179 | 179 |
// Loop through all the arguments of the syscall and convert them |
| 180 | 180 |
for _, arg := range args {
|
| 181 |
- newArg := specs.LinuxSeccompArg{
|
|
| 182 |
- Index: arg.Index, |
|
| 183 |
- Value: arg.Value, |
|
| 184 |
- ValueTwo: arg.ValueTwo, |
|
| 185 |
- Op: specs.LinuxSeccompOperator(arg.Op), |
|
| 186 |
- } |
|
| 187 |
- |
|
| 188 |
- newCall.Args = append(newCall.Args, newArg) |
|
| 181 |
+ newCall.Args = append(newCall.Args, *arg) |
|
| 189 | 182 |
} |
| 190 | 183 |
return newCall |
| 191 | 184 |
} |
| ... | ... |
@@ -2,11 +2,7 @@ |
| 2 | 2 |
|
| 3 | 3 |
package seccomp // import "github.com/docker/docker/profiles/seccomp" |
| 4 | 4 |
|
| 5 |
-import ( |
|
| 6 |
- "github.com/docker/docker/api/types" |
|
| 7 |
-) |
|
| 8 |
- |
|
| 9 | 5 |
// DefaultProfile returns a nil pointer on unsupported systems. |
| 10 |
-func DefaultProfile() *types.Seccomp {
|
|
| 6 |
+func DefaultProfile() *Seccomp {
|
|
| 11 | 7 |
return nil |
| 12 | 8 |
} |