seccomp: replace types with runtime-spec types

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

profiles/seccomp/default.json

@@ -416,7 +416,6 @@
 				{
 					"index": 0,
 					"value": 0,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_EQ"
 				}
 			],
@@ -433,7 +432,6 @@
 				{
 					"index": 0,
 					"value": 8,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_EQ"
 				}
 			],
@@ -450,7 +448,6 @@
 				{
 					"index": 0,
 					"value": 131072,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_EQ"
 				}
 			],
@@ -467,7 +464,6 @@
 				{
 					"index": 0,
 					"value": 131080,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_EQ"
 				}
 			],
@@ -484,7 +480,6 @@
 				{
 					"index": 0,
 					"value": 4294967295,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_EQ"
 				}
 			],
@@ -625,7 +620,6 @@
 				{
 					"index": 0,
 					"value": 2114060288,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
 			],
@@ -650,7 +644,6 @@
 				{
 					"index": 1,
 					"value": 2114060288,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
 			],

profiles/seccomp/default_linux.go

@@ -3,38 +3,39 @@
 package seccomp // import "github.com/docker/docker/profiles/seccomp"
 
 import (
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"golang.org/x/sys/unix"
 )
 
 func arches() []Architecture {
 	return []Architecture{
 		{
-			Arch:      ArchX86_64,
-			SubArches: []Arch{ArchX86, ArchX32},
+			Arch:      specs.ArchX86_64,
+			SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32},
 		},
 		{
-			Arch:      ArchAARCH64,
-			SubArches: []Arch{ArchARM},
+			Arch:      specs.ArchAARCH64,
+			SubArches: []specs.Arch{specs.ArchARM},
 		},
 		{
-			Arch:      ArchMIPS64,
-			SubArches: []Arch{ArchMIPS, ArchMIPS64N32},
+			Arch:      specs.ArchMIPS64,
+			SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32},
 		},
 		{
-			Arch:      ArchMIPS64N32,
-			SubArches: []Arch{ArchMIPS, ArchMIPS64},
+			Arch:      specs.ArchMIPS64N32,
+			SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64},
 		},
 		{
-			Arch:      ArchMIPSEL64,
-			SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64N32},
+			Arch:      specs.ArchMIPSEL64,
+			SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32},
 		},
 		{
-			Arch:      ArchMIPSEL64N32,
-			SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64},
+			Arch:      specs.ArchMIPSEL64N32,
+			SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64},
 		},
 		{
-			Arch:      ArchS390X,
-			SubArches: []Arch{ArchS390},
+			Arch:      specs.ArchS390X,
+			SubArches: []specs.Arch{specs.ArchS390},
 		},
 	}
 }
@@ -381,68 +382,68 @@ func DefaultProfile() *Seccomp {
 				"write",
 				"writev",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 		},
 		{
 			Names:  []string{"ptrace"},
-			Action: ActAllow,
+			Action: specs.ActAllow,
 			Includes: Filter{
 				MinKernel: "4.8",
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: ActAllow,
-			Args: []*Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index: 0,
 					Value: 0x0,
-					Op:    OpEqualTo,
+					Op:    specs.OpEqualTo,
 				},
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: ActAllow,
-			Args: []*Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index: 0,
 					Value: 0x0008,
-					Op:    OpEqualTo,
+					Op:    specs.OpEqualTo,
 				},
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: ActAllow,
-			Args: []*Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index: 0,
 					Value: 0x20000,
-					Op:    OpEqualTo,
+					Op:    specs.OpEqualTo,
 				},
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: ActAllow,
-			Args: []*Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index: 0,
 					Value: 0x20008,
-					Op:    OpEqualTo,
+					Op:    specs.OpEqualTo,
 				},
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: ActAllow,
-			Args: []*Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index: 0,
 					Value: 0xffffffff,
-					Op:    OpEqualTo,
+					Op:    specs.OpEqualTo,
 				},
 			},
 		},
@@ -450,8 +451,8 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"sync_file_range2",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Arches: []string{"ppc64le"},
 			},
@@ -465,8 +466,8 @@ func DefaultProfile() *Seccomp {
 				"cacheflush",
 				"set_tls",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Arches: []string{"arm", "arm64"},
 			},
@@ -475,8 +476,8 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"arch_prctl",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Arches: []string{"amd64", "x32"},
 			},
@@ -485,8 +486,8 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"modify_ldt",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Arches: []string{"amd64", "x32", "x86"},
 			},
@@ -497,8 +498,8 @@ func DefaultProfile() *Seccomp {
 				"s390_pci_mmio_write",
 				"s390_runtime_instr",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Arches: []string{"s390", "s390x"},
 			},
@@ -507,8 +508,8 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"open_by_handle_at",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Caps: []string{"CAP_DAC_READ_SEARCH"},
 			},
@@ -531,8 +532,8 @@ func DefaultProfile() *Seccomp {
 				"umount2",
 				"unshare",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Caps: []string{"CAP_SYS_ADMIN"},
 			},
@@ -541,13 +542,13 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"clone",
 			},
-			Action: ActAllow,
-			Args: []*Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index:    0,
 					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
 					ValueTwo: 0,
-					Op:       OpMaskedEqual,
+					Op:       specs.OpMaskedEqual,
 				},
 			},
 			Excludes: Filter{
@@ -559,13 +560,13 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"clone",
 			},
-			Action: ActAllow,
-			Args: []*Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index:    1,
 					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
 					ValueTwo: 0,
-					Op:       OpMaskedEqual,
+					Op:       specs.OpMaskedEqual,
 				},
 			},
 			Comment: "s390 parameter ordering for clone is different",
@@ -580,8 +581,8 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"reboot",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Caps: []string{"CAP_SYS_BOOT"},
 			},
@@ -590,8 +591,8 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"chroot",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Caps: []string{"CAP_SYS_CHROOT"},
 			},
@@ -602,8 +603,8 @@ func DefaultProfile() *Seccomp {
 				"init_module",
 				"finit_module",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Caps: []string{"CAP_SYS_MODULE"},
 			},
@@ -612,8 +613,8 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"acct",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Caps: []string{"CAP_SYS_PACCT"},
 			},
@@ -625,8 +626,8 @@ func DefaultProfile() *Seccomp {
 				"process_vm_writev",
 				"ptrace",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Caps: []string{"CAP_SYS_PTRACE"},
 			},
@@ -636,8 +637,8 @@ func DefaultProfile() *Seccomp {
 				"iopl",
 				"ioperm",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Caps: []string{"CAP_SYS_RAWIO"},
 			},
@@ -648,8 +649,8 @@ func DefaultProfile() *Seccomp {
 				"stime",
 				"clock_settime",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Caps: []string{"CAP_SYS_TIME"},
 			},
@@ -658,8 +659,8 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"vhangup",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Caps: []string{"CAP_SYS_TTY_CONFIG"},
 			},
@@ -670,8 +671,8 @@ func DefaultProfile() *Seccomp {
 				"mbind",
 				"set_mempolicy",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Caps: []string{"CAP_SYS_NICE"},
 			},
@@ -680,8 +681,8 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"syslog",
 			},
-			Action: ActAllow,
-			Args:   []*Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 			Includes: Filter{
 				Caps: []string{"CAP_SYSLOG"},
 			},
@@ -689,7 +690,7 @@ func DefaultProfile() *Seccomp {
 	}
 
 	return &Seccomp{
-		DefaultAction: ActErrno,
+		DefaultAction: specs.ActErrno,
 		ArchMap:       arches(),
 		Syscalls:      syscalls,
 	}

profiles/seccomp/seccomp.go

@@ -1,11 +1,13 @@
 package seccomp // import "github.com/docker/docker/profiles/seccomp"
 
+import "github.com/opencontainers/runtime-spec/specs-go"
+
 // Seccomp represents the config for a seccomp profile for syscall restriction.
 type Seccomp struct {
-	DefaultAction Action `json:"defaultAction"`
+	DefaultAction specs.LinuxSeccompAction `json:"defaultAction"`
 	// Architectures is kept to maintain backward compatibility with the old
 	// seccomp profile.
-	Architectures []Arch         `json:"architectures,omitempty"`
+	Architectures []specs.Arch   `json:"architectures,omitempty"`
 	ArchMap       []Architecture `json:"archMap,omitempty"`
 	Syscalls      []*Syscall     `json:"syscalls"`
 }
@@ -13,66 +15,8 @@ type Seccomp struct {
 // Architecture is used to represent a specific architecture
 // and its sub-architectures
 type Architecture struct {
-	Arch      Arch   `json:"architecture"`
-	SubArches []Arch `json:"subArchitectures"`
-}
-
-// Arch used for architectures
-type Arch string
-
-// Additional architectures permitted to be used for system calls
-// By default only the native architecture of the kernel is permitted
-const (
-	ArchX86         Arch = "SCMP_ARCH_X86"
-	ArchX86_64      Arch = "SCMP_ARCH_X86_64"
-	ArchX32         Arch = "SCMP_ARCH_X32"
-	ArchARM         Arch = "SCMP_ARCH_ARM"
-	ArchAARCH64     Arch = "SCMP_ARCH_AARCH64"
-	ArchMIPS        Arch = "SCMP_ARCH_MIPS"
-	ArchMIPS64      Arch = "SCMP_ARCH_MIPS64"
-	ArchMIPS64N32   Arch = "SCMP_ARCH_MIPS64N32"
-	ArchMIPSEL      Arch = "SCMP_ARCH_MIPSEL"
-	ArchMIPSEL64    Arch = "SCMP_ARCH_MIPSEL64"
-	ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
-	ArchPPC         Arch = "SCMP_ARCH_PPC"
-	ArchPPC64       Arch = "SCMP_ARCH_PPC64"
-	ArchPPC64LE     Arch = "SCMP_ARCH_PPC64LE"
-	ArchS390        Arch = "SCMP_ARCH_S390"
-	ArchS390X       Arch = "SCMP_ARCH_S390X"
-)
-
-// Action taken upon Seccomp rule match
-type Action string
-
-// Define actions for Seccomp rules
-const (
-	ActKill  Action = "SCMP_ACT_KILL"
-	ActTrap  Action = "SCMP_ACT_TRAP"
-	ActErrno Action = "SCMP_ACT_ERRNO"
-	ActTrace Action = "SCMP_ACT_TRACE"
-	ActAllow Action = "SCMP_ACT_ALLOW"
-)
-
-// Operator used to match syscall arguments in Seccomp
-type Operator string
-
-// Define operators for syscall arguments in Seccomp
-const (
-	OpNotEqual     Operator = "SCMP_CMP_NE"
-	OpLessThan     Operator = "SCMP_CMP_LT"
-	OpLessEqual    Operator = "SCMP_CMP_LE"
-	OpEqualTo      Operator = "SCMP_CMP_EQ"
-	OpGreaterEqual Operator = "SCMP_CMP_GE"
-	OpGreaterThan  Operator = "SCMP_CMP_GT"
-	OpMaskedEqual  Operator = "SCMP_CMP_MASKED_EQ"
-)
-
-// Arg used for matching specific syscall arguments in Seccomp
-type Arg struct {
-	Index    uint     `json:"index"`
-	Value    uint64   `json:"value"`
-	ValueTwo uint64   `json:"valueTwo"`
-	Op       Operator `json:"op"`
+	Arch      specs.Arch   `json:"architecture"`
+	SubArches []specs.Arch `json:"subArchitectures"`
 }
 
 // Filter is used to conditionally apply Seccomp rules
@@ -84,11 +28,11 @@ type Filter struct {
 
 // Syscall is used to match a group of syscalls in Seccomp
 type Syscall struct {
-	Name     string   `json:"name,omitempty"`
-	Names    []string `json:"names,omitempty"`
-	Action   Action   `json:"action"`
-	Args     []*Arg   `json:"args"`
-	Comment  string   `json:"comment"`
-	Includes Filter   `json:"includes"`
-	Excludes Filter   `json:"excludes"`
+	Name     string                   `json:"name,omitempty"`
+	Names    []string                 `json:"names,omitempty"`
+	Action   specs.LinuxSeccompAction `json:"action"`
+	Args     []*specs.LinuxSeccompArg `json:"args"`
+	Comment  string                   `json:"comment"`
+	Includes Filter                   `json:"includes"`
+	Excludes Filter                   `json:"excludes"`
 }

profiles/seccomp/seccomp_linux.go

@@ -27,21 +27,21 @@ func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
 }
 
 // libseccomp string => seccomp arch
-var nativeToSeccomp = map[string]Arch{
-	"x86":         ArchX86,
-	"amd64":       ArchX86_64,
-	"arm":         ArchARM,
-	"arm64":       ArchAARCH64,
-	"mips64":      ArchMIPS64,
-	"mips64n32":   ArchMIPS64N32,
-	"mipsel64":    ArchMIPSEL64,
-	"mips3l64n32": ArchMIPSEL64N32,
-	"mipsle":      ArchMIPSEL,
-	"ppc":         ArchPPC,
-	"ppc64":       ArchPPC64,
-	"ppc64le":     ArchPPC64LE,
-	"s390":        ArchS390,
-	"s390x":       ArchS390X,
+var nativeToSeccomp = map[string]specs.Arch{
+	"x86":         specs.ArchX86,
+	"amd64":       specs.ArchX86_64,
+	"arm":         specs.ArchARM,
+	"arm64":       specs.ArchAARCH64,
+	"mips64":      specs.ArchMIPS64,
+	"mips64n32":   specs.ArchMIPS64N32,
+	"mipsel64":    specs.ArchMIPSEL64,
+	"mips3l64n32": specs.ArchMIPSEL64N32,
+	"mipsle":      specs.ArchMIPSEL,
+	"ppc":         specs.ArchPPC,
+	"ppc64":       specs.ArchPPC64,
+	"ppc64le":     specs.ArchPPC64LE,
+	"s390":        specs.ArchS390,
+	"s390x":       specs.ArchS390X,
 }
 
 // GOARCH => libseccomp string
@@ -91,9 +91,7 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error)
 
 	// if config.Architectures == 0 then libseccomp will figure out the architecture to use
 	if len(config.Architectures) != 0 {
-		for _, a := range config.Architectures {
-			newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a))
-		}
+		newConfig.Architectures = config.Architectures
 	}
 
 	arch := goToNative[runtime.GOARCH]
@@ -102,16 +100,14 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error)
 	if len(config.ArchMap) != 0 && archExists {
 		for _, a := range config.ArchMap {
 			if a.Arch == seccompArch {
-				newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch))
-				for _, sa := range a.SubArches {
-					newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa))
-				}
+				newConfig.Architectures = append(newConfig.Architectures, a.Arch)
+				newConfig.Architectures = append(newConfig.Architectures, a.SubArches...)
 				break
 			}
 		}
 	}
 
-	newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)
+	newConfig.DefaultAction = config.DefaultAction
 
 Loop:
 	// Loop through all syscall blocks and convert them to libcontainer format after filtering them
@@ -169,22 +165,15 @@ Loop:
 	return newConfig, nil
 }
 
-func createSpecsSyscall(names []string, action Action, args []*Arg) specs.LinuxSyscall {
+func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall {
 	newCall := specs.LinuxSyscall{
 		Names:  names,
-		Action: specs.LinuxSeccompAction(action),
+		Action: action,
 	}
 
 	// Loop through all the arguments of the syscall and convert them
 	for _, arg := range args {
-		newArg := specs.LinuxSeccompArg{
-			Index:    arg.Index,
-			Value:    arg.Value,
-			ValueTwo: arg.ValueTwo,
-			Op:       specs.LinuxSeccompOperator(arg.Op),
-		}
-
-		newCall.Args = append(newCall.Args, newArg)
+		newCall.Args = append(newCall.Args, *arg)
 	}
 	return newCall
 }