seccomp: move seccomp types from api into seccomp profile

These types were not used in the API, so could not come up with
a reason why they were in that package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

profiles/seccomp/default_linux.go

@@ -3,46 +3,45 @@
 package seccomp // import "github.com/docker/docker/profiles/seccomp"
 
 import (
-	"github.com/docker/docker/api/types"
 	"golang.org/x/sys/unix"
 )
 
-func arches() []types.Architecture {
-	return []types.Architecture{
+func arches() []Architecture {
+	return []Architecture{
 		{
-			Arch:      types.ArchX86_64,
-			SubArches: []types.Arch{types.ArchX86, types.ArchX32},
+			Arch:      ArchX86_64,
+			SubArches: []Arch{ArchX86, ArchX32},
 		},
 		{
-			Arch:      types.ArchAARCH64,
-			SubArches: []types.Arch{types.ArchARM},
+			Arch:      ArchAARCH64,
+			SubArches: []Arch{ArchARM},
 		},
 		{
-			Arch:      types.ArchMIPS64,
-			SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32},
+			Arch:      ArchMIPS64,
+			SubArches: []Arch{ArchMIPS, ArchMIPS64N32},
 		},
 		{
-			Arch:      types.ArchMIPS64N32,
-			SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64},
+			Arch:      ArchMIPS64N32,
+			SubArches: []Arch{ArchMIPS, ArchMIPS64},
 		},
 		{
-			Arch:      types.ArchMIPSEL64,
-			SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32},
+			Arch:      ArchMIPSEL64,
+			SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64N32},
 		},
 		{
-			Arch:      types.ArchMIPSEL64N32,
-			SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64},
+			Arch:      ArchMIPSEL64N32,
+			SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64},
 		},
 		{
-			Arch:      types.ArchS390X,
-			SubArches: []types.Arch{types.ArchS390},
+			Arch:      ArchS390X,
+			SubArches: []Arch{ArchS390},
 		},
 	}
 }
 
 // DefaultProfile defines the allowed syscalls for the default seccomp profile.
-func DefaultProfile() *types.Seccomp {
-	syscalls := []*types.Syscall{
+func DefaultProfile() *Seccomp {
+	syscalls := []*Syscall{
 		{
 			Names: []string{
 				"accept",
@@ -382,68 +381,68 @@ func DefaultProfile() *types.Seccomp {
 				"write",
 				"writev",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
+			Action: ActAllow,
+			Args:   []*Arg{},
 		},
 		{
 			Names:  []string{"ptrace"},
-			Action: types.ActAllow,
-			Includes: types.Filter{
+			Action: ActAllow,
+			Includes: Filter{
 				MinKernel: "4.8",
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: ActAllow,
+			Args: []*Arg{
 				{
 					Index: 0,
 					Value: 0x0,
-					Op:    types.OpEqualTo,
+					Op:    OpEqualTo,
 				},
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: ActAllow,
+			Args: []*Arg{
 				{
 					Index: 0,
 					Value: 0x0008,
-					Op:    types.OpEqualTo,
+					Op:    OpEqualTo,
 				},
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: ActAllow,
+			Args: []*Arg{
 				{
 					Index: 0,
 					Value: 0x20000,
-					Op:    types.OpEqualTo,
+					Op:    OpEqualTo,
 				},
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: ActAllow,
+			Args: []*Arg{
 				{
 					Index: 0,
 					Value: 0x20008,
-					Op:    types.OpEqualTo,
+					Op:    OpEqualTo,
 				},
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: ActAllow,
+			Args: []*Arg{
 				{
 					Index: 0,
 					Value: 0xffffffff,
-					Op:    types.OpEqualTo,
+					Op:    OpEqualTo,
 				},
 			},
 		},
@@ -451,9 +450,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"sync_file_range2",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Arches: []string{"ppc64le"},
 			},
 		},
@@ -466,9 +465,9 @@ func DefaultProfile() *types.Seccomp {
 				"cacheflush",
 				"set_tls",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Arches: []string{"arm", "arm64"},
 			},
 		},
@@ -476,9 +475,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"arch_prctl",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Arches: []string{"amd64", "x32"},
 			},
 		},
@@ -486,9 +485,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"modify_ldt",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Arches: []string{"amd64", "x32", "x86"},
 			},
 		},
@@ -498,9 +497,9 @@ func DefaultProfile() *types.Seccomp {
 				"s390_pci_mmio_write",
 				"s390_runtime_instr",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Arches: []string{"s390", "s390x"},
 			},
 		},
@@ -508,9 +507,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"open_by_handle_at",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Caps: []string{"CAP_DAC_READ_SEARCH"},
 			},
 		},
@@ -532,9 +531,9 @@ func DefaultProfile() *types.Seccomp {
 				"umount2",
 				"unshare",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_ADMIN"},
 			},
 		},
@@ -542,16 +541,16 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"clone",
 			},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: ActAllow,
+			Args: []*Arg{
 				{
 					Index:    0,
 					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
 					ValueTwo: 0,
-					Op:       types.OpMaskedEqual,
+					Op:       OpMaskedEqual,
 				},
 			},
-			Excludes: types.Filter{
+			Excludes: Filter{
 				Caps:   []string{"CAP_SYS_ADMIN"},
 				Arches: []string{"s390", "s390x"},
 			},
@@ -560,20 +559,20 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"clone",
 			},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: ActAllow,
+			Args: []*Arg{
 				{
 					Index:    1,
 					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
 					ValueTwo: 0,
-					Op:       types.OpMaskedEqual,
+					Op:       OpMaskedEqual,
 				},
 			},
 			Comment: "s390 parameter ordering for clone is different",
-			Includes: types.Filter{
+			Includes: Filter{
 				Arches: []string{"s390", "s390x"},
 			},
-			Excludes: types.Filter{
+			Excludes: Filter{
 				Caps: []string{"CAP_SYS_ADMIN"},
 			},
 		},
@@ -581,9 +580,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"reboot",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_BOOT"},
 			},
 		},
@@ -591,9 +590,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"chroot",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_CHROOT"},
 			},
 		},
@@ -603,9 +602,9 @@ func DefaultProfile() *types.Seccomp {
 				"init_module",
 				"finit_module",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_MODULE"},
 			},
 		},
@@ -613,9 +612,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"acct",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_PACCT"},
 			},
 		},
@@ -626,9 +625,9 @@ func DefaultProfile() *types.Seccomp {
 				"process_vm_writev",
 				"ptrace",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_PTRACE"},
 			},
 		},
@@ -637,9 +636,9 @@ func DefaultProfile() *types.Seccomp {
 				"iopl",
 				"ioperm",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_RAWIO"},
 			},
 		},
@@ -649,9 +648,9 @@ func DefaultProfile() *types.Seccomp {
 				"stime",
 				"clock_settime",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_TIME"},
 			},
 		},
@@ -659,9 +658,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"vhangup",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_TTY_CONFIG"},
 			},
 		},
@@ -671,9 +670,9 @@ func DefaultProfile() *types.Seccomp {
 				"mbind",
 				"set_mempolicy",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_NICE"},
 			},
 		},
@@ -681,16 +680,16 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"syslog",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: ActAllow,
+			Args:   []*Arg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYSLOG"},
 			},
 		},
 	}
 
-	return &types.Seccomp{
-		DefaultAction: types.ActErrno,
+	return &Seccomp{
+		DefaultAction: ActErrno,
 		ArchMap:       arches(),
 		Syscalls:      syscalls,
 	}

api/types/seccomp.go → profiles/seccomp/seccomp.go

@@ -1,4 +1,4 @@
-package types // import "github.com/docker/docker/api/types"
+package seccomp // import "github.com/docker/docker/profiles/seccomp"
 
 // Seccomp represents the config for a seccomp profile for syscall restriction.
 type Seccomp struct {

profiles/seccomp/seccomp_linux.go

@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"runtime"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/pkg/parsers/kernel"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )
@@ -20,7 +19,7 @@ func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
 
 // LoadProfile takes a json string and decodes the seccomp profile.
 func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
-	var config types.Seccomp
+	var config Seccomp
 	if err := json.Unmarshal([]byte(body), &config); err != nil {
 		return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)
 	}
@@ -28,21 +27,21 @@ func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
 }
 
 // libseccomp string => seccomp arch
-var nativeToSeccomp = map[string]types.Arch{
-	"x86":         types.ArchX86,
-	"amd64":       types.ArchX86_64,
-	"arm":         types.ArchARM,
-	"arm64":       types.ArchAARCH64,
-	"mips64":      types.ArchMIPS64,
-	"mips64n32":   types.ArchMIPS64N32,
-	"mipsel64":    types.ArchMIPSEL64,
-	"mips3l64n32": types.ArchMIPSEL64N32,
-	"mipsle":      types.ArchMIPSEL,
-	"ppc":         types.ArchPPC,
-	"ppc64":       types.ArchPPC64,
-	"ppc64le":     types.ArchPPC64LE,
-	"s390":        types.ArchS390,
-	"s390x":       types.ArchS390X,
+var nativeToSeccomp = map[string]Arch{
+	"x86":         ArchX86,
+	"amd64":       ArchX86_64,
+	"arm":         ArchARM,
+	"arm64":       ArchAARCH64,
+	"mips64":      ArchMIPS64,
+	"mips64n32":   ArchMIPS64N32,
+	"mipsel64":    ArchMIPSEL64,
+	"mips3l64n32": ArchMIPSEL64N32,
+	"mipsle":      ArchMIPSEL,
+	"ppc":         ArchPPC,
+	"ppc64":       ArchPPC64,
+	"ppc64le":     ArchPPC64LE,
+	"s390":        ArchS390,
+	"s390x":       ArchS390X,
 }
 
 // GOARCH => libseccomp string
@@ -74,7 +73,7 @@ func inSlice(slice []string, s string) bool {
 	return false
 }
 
-func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
 	if config == nil {
 		return nil, nil
 	}
@@ -170,7 +169,7 @@ Loop:
 	return newConfig, nil
 }
 
-func createSpecsSyscall(names []string, action types.Action, args []*types.Arg) specs.LinuxSyscall {
+func createSpecsSyscall(names []string, action Action, args []*Arg) specs.LinuxSyscall {
 	newCall := specs.LinuxSyscall{
 		Names:  names,
 		Action: specs.LinuxSeccompAction(action),

profiles/seccomp/seccomp_unsupported.go

@@ -2,11 +2,7 @@
 
 package seccomp // import "github.com/docker/docker/profiles/seccomp"
 
-import (
-	"github.com/docker/docker/api/types"
-)
-
 // DefaultProfile returns a nil pointer on unsupported systems.
-func DefaultProfile() *types.Seccomp {
+func DefaultProfile() *Seccomp {
 	return nil
 }