Merge pull request #41471 from thaJeztah/seccomp_rewrite

seccomp: refactor to use runtime-spec types where possible

api/types/seccomp.go

@@ -1,94 +0,0 @@
-package types // import "github.com/docker/docker/api/types"
-
-// Seccomp represents the config for a seccomp profile for syscall restriction.
-type Seccomp struct {
-	DefaultAction Action `json:"defaultAction"`
-	// Architectures is kept to maintain backward compatibility with the old
-	// seccomp profile.
-	Architectures []Arch         `json:"architectures,omitempty"`
-	ArchMap       []Architecture `json:"archMap,omitempty"`
-	Syscalls      []*Syscall     `json:"syscalls"`
-}
-
-// Architecture is used to represent a specific architecture
-// and its sub-architectures
-type Architecture struct {
-	Arch      Arch   `json:"architecture"`
-	SubArches []Arch `json:"subArchitectures"`
-}
-
-// Arch used for architectures
-type Arch string
-
-// Additional architectures permitted to be used for system calls
-// By default only the native architecture of the kernel is permitted
-const (
-	ArchX86         Arch = "SCMP_ARCH_X86"
-	ArchX86_64      Arch = "SCMP_ARCH_X86_64"
-	ArchX32         Arch = "SCMP_ARCH_X32"
-	ArchARM         Arch = "SCMP_ARCH_ARM"
-	ArchAARCH64     Arch = "SCMP_ARCH_AARCH64"
-	ArchMIPS        Arch = "SCMP_ARCH_MIPS"
-	ArchMIPS64      Arch = "SCMP_ARCH_MIPS64"
-	ArchMIPS64N32   Arch = "SCMP_ARCH_MIPS64N32"
-	ArchMIPSEL      Arch = "SCMP_ARCH_MIPSEL"
-	ArchMIPSEL64    Arch = "SCMP_ARCH_MIPSEL64"
-	ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
-	ArchPPC         Arch = "SCMP_ARCH_PPC"
-	ArchPPC64       Arch = "SCMP_ARCH_PPC64"
-	ArchPPC64LE     Arch = "SCMP_ARCH_PPC64LE"
-	ArchS390        Arch = "SCMP_ARCH_S390"
-	ArchS390X       Arch = "SCMP_ARCH_S390X"
-)
-
-// Action taken upon Seccomp rule match
-type Action string
-
-// Define actions for Seccomp rules
-const (
-	ActKill  Action = "SCMP_ACT_KILL"
-	ActTrap  Action = "SCMP_ACT_TRAP"
-	ActErrno Action = "SCMP_ACT_ERRNO"
-	ActTrace Action = "SCMP_ACT_TRACE"
-	ActAllow Action = "SCMP_ACT_ALLOW"
-)
-
-// Operator used to match syscall arguments in Seccomp
-type Operator string
-
-// Define operators for syscall arguments in Seccomp
-const (
-	OpNotEqual     Operator = "SCMP_CMP_NE"
-	OpLessThan     Operator = "SCMP_CMP_LT"
-	OpLessEqual    Operator = "SCMP_CMP_LE"
-	OpEqualTo      Operator = "SCMP_CMP_EQ"
-	OpGreaterEqual Operator = "SCMP_CMP_GE"
-	OpGreaterThan  Operator = "SCMP_CMP_GT"
-	OpMaskedEqual  Operator = "SCMP_CMP_MASKED_EQ"
-)
-
-// Arg used for matching specific syscall arguments in Seccomp
-type Arg struct {
-	Index    uint     `json:"index"`
-	Value    uint64   `json:"value"`
-	ValueTwo uint64   `json:"valueTwo"`
-	Op       Operator `json:"op"`
-}
-
-// Filter is used to conditionally apply Seccomp rules
-type Filter struct {
-	Caps      []string `json:"caps,omitempty"`
-	Arches    []string `json:"arches,omitempty"`
-	MinKernel string   `json:"minKernel,omitempty"`
-}
-
-// Syscall is used to match a group of syscalls in Seccomp
-type Syscall struct {
-	Name     string   `json:"name,omitempty"`
-	Names    []string `json:"names,omitempty"`
-	Action   Action   `json:"action"`
-	Args     []*Arg   `json:"args"`
-	Comment  string   `json:"comment"`
-	Includes Filter   `json:"includes"`
-	Excludes Filter   `json:"excludes"`
-}

profiles/seccomp/default.json

@@ -416,7 +416,6 @@
 				{
 					"index": 0,
 					"value": 0,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_EQ"
 				}
 			],
@@ -433,7 +432,6 @@
 				{
 					"index": 0,
 					"value": 8,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_EQ"
 				}
 			],
@@ -450,7 +448,6 @@
 				{
 					"index": 0,
 					"value": 131072,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_EQ"
 				}
 			],
@@ -467,7 +464,6 @@
 				{
 					"index": 0,
 					"value": 131080,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_EQ"
 				}
 			],
@@ -484,7 +480,6 @@
 				{
 					"index": 0,
 					"value": 4294967295,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_EQ"
 				}
 			],
@@ -625,7 +620,6 @@
 				{
 					"index": 0,
 					"value": 2114060288,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
 			],
@@ -650,7 +644,6 @@
 				{
 					"index": 1,
 					"value": 2114060288,
-					"valueTwo": 0,
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
 			],

profiles/seccomp/default_linux.go

@@ -3,46 +3,46 @@
 package seccomp // import "github.com/docker/docker/profiles/seccomp"
 
 import (
-	"github.com/docker/docker/api/types"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"golang.org/x/sys/unix"
 )
 
-func arches() []types.Architecture {
-	return []types.Architecture{
+func arches() []Architecture {
+	return []Architecture{
 		{
-			Arch:      types.ArchX86_64,
-			SubArches: []types.Arch{types.ArchX86, types.ArchX32},
+			Arch:      specs.ArchX86_64,
+			SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32},
 		},
 		{
-			Arch:      types.ArchAARCH64,
-			SubArches: []types.Arch{types.ArchARM},
+			Arch:      specs.ArchAARCH64,
+			SubArches: []specs.Arch{specs.ArchARM},
 		},
 		{
-			Arch:      types.ArchMIPS64,
-			SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32},
+			Arch:      specs.ArchMIPS64,
+			SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32},
 		},
 		{
-			Arch:      types.ArchMIPS64N32,
-			SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64},
+			Arch:      specs.ArchMIPS64N32,
+			SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64},
 		},
 		{
-			Arch:      types.ArchMIPSEL64,
-			SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32},
+			Arch:      specs.ArchMIPSEL64,
+			SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32},
 		},
 		{
-			Arch:      types.ArchMIPSEL64N32,
-			SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64},
+			Arch:      specs.ArchMIPSEL64N32,
+			SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64},
 		},
 		{
-			Arch:      types.ArchS390X,
-			SubArches: []types.Arch{types.ArchS390},
+			Arch:      specs.ArchS390X,
+			SubArches: []specs.Arch{specs.ArchS390},
 		},
 	}
 }
 
 // DefaultProfile defines the allowed syscalls for the default seccomp profile.
-func DefaultProfile() *types.Seccomp {
-	syscalls := []*types.Syscall{
+func DefaultProfile() *Seccomp {
+	syscalls := []*Syscall{
 		{
 			Names: []string{
 				"accept",
@@ -382,68 +382,68 @@ func DefaultProfile() *types.Seccomp {
 				"write",
 				"writev",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
 		},
 		{
 			Names:  []string{"ptrace"},
-			Action: types.ActAllow,
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Includes: Filter{
 				MinKernel: "4.8",
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index: 0,
 					Value: 0x0,
-					Op:    types.OpEqualTo,
+					Op:    specs.OpEqualTo,
 				},
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index: 0,
 					Value: 0x0008,
-					Op:    types.OpEqualTo,
+					Op:    specs.OpEqualTo,
 				},
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index: 0,
 					Value: 0x20000,
-					Op:    types.OpEqualTo,
+					Op:    specs.OpEqualTo,
 				},
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index: 0,
 					Value: 0x20008,
-					Op:    types.OpEqualTo,
+					Op:    specs.OpEqualTo,
 				},
 			},
 		},
 		{
 			Names:  []string{"personality"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index: 0,
 					Value: 0xffffffff,
-					Op:    types.OpEqualTo,
+					Op:    specs.OpEqualTo,
 				},
 			},
 		},
@@ -451,9 +451,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"sync_file_range2",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Arches: []string{"ppc64le"},
 			},
 		},
@@ -466,9 +466,9 @@ func DefaultProfile() *types.Seccomp {
 				"cacheflush",
 				"set_tls",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Arches: []string{"arm", "arm64"},
 			},
 		},
@@ -476,9 +476,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"arch_prctl",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Arches: []string{"amd64", "x32"},
 			},
 		},
@@ -486,9 +486,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"modify_ldt",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Arches: []string{"amd64", "x32", "x86"},
 			},
 		},
@@ -498,9 +498,9 @@ func DefaultProfile() *types.Seccomp {
 				"s390_pci_mmio_write",
 				"s390_runtime_instr",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Arches: []string{"s390", "s390x"},
 			},
 		},
@@ -508,9 +508,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"open_by_handle_at",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Caps: []string{"CAP_DAC_READ_SEARCH"},
 			},
 		},
@@ -532,9 +532,9 @@ func DefaultProfile() *types.Seccomp {
 				"umount2",
 				"unshare",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_ADMIN"},
 			},
 		},
@@ -542,16 +542,16 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"clone",
 			},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index:    0,
 					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
 					ValueTwo: 0,
-					Op:       types.OpMaskedEqual,
+					Op:       specs.OpMaskedEqual,
 				},
 			},
-			Excludes: types.Filter{
+			Excludes: Filter{
 				Caps:   []string{"CAP_SYS_ADMIN"},
 				Arches: []string{"s390", "s390x"},
 			},
@@ -560,20 +560,20 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"clone",
 			},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
+			Action: specs.ActAllow,
+			Args: []*specs.LinuxSeccompArg{
 				{
 					Index:    1,
 					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
 					ValueTwo: 0,
-					Op:       types.OpMaskedEqual,
+					Op:       specs.OpMaskedEqual,
 				},
 			},
 			Comment: "s390 parameter ordering for clone is different",
-			Includes: types.Filter{
+			Includes: Filter{
 				Arches: []string{"s390", "s390x"},
 			},
-			Excludes: types.Filter{
+			Excludes: Filter{
 				Caps: []string{"CAP_SYS_ADMIN"},
 			},
 		},
@@ -581,9 +581,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"reboot",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_BOOT"},
 			},
 		},
@@ -591,9 +591,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"chroot",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_CHROOT"},
 			},
 		},
@@ -603,9 +603,9 @@ func DefaultProfile() *types.Seccomp {
 				"init_module",
 				"finit_module",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_MODULE"},
 			},
 		},
@@ -613,9 +613,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"acct",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_PACCT"},
 			},
 		},
@@ -626,9 +626,9 @@ func DefaultProfile() *types.Seccomp {
 				"process_vm_writev",
 				"ptrace",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_PTRACE"},
 			},
 		},
@@ -637,9 +637,9 @@ func DefaultProfile() *types.Seccomp {
 				"iopl",
 				"ioperm",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_RAWIO"},
 			},
 		},
@@ -649,9 +649,9 @@ func DefaultProfile() *types.Seccomp {
 				"stime",
 				"clock_settime",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_TIME"},
 			},
 		},
@@ -659,9 +659,9 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"vhangup",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_TTY_CONFIG"},
 			},
 		},
@@ -671,9 +671,9 @@ func DefaultProfile() *types.Seccomp {
 				"mbind",
 				"set_mempolicy",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYS_NICE"},
 			},
 		},
@@ -681,16 +681,16 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"syslog",
 			},
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-			Includes: types.Filter{
+			Action: specs.ActAllow,
+			Args:   []*specs.LinuxSeccompArg{},
+			Includes: Filter{
 				Caps: []string{"CAP_SYSLOG"},
 			},
 		},
 	}
 
-	return &types.Seccomp{
-		DefaultAction: types.ActErrno,
+	return &Seccomp{
+		DefaultAction: specs.ActErrno,
 		ArchMap:       arches(),
 		Syscalls:      syscalls,
 	}

profiles/seccomp/seccomp.go

@@ -0,0 +1,38 @@
+package seccomp // import "github.com/docker/docker/profiles/seccomp"
+
+import "github.com/opencontainers/runtime-spec/specs-go"
+
+// Seccomp represents the config for a seccomp profile for syscall restriction.
+type Seccomp struct {
+	DefaultAction specs.LinuxSeccompAction `json:"defaultAction"`
+	// Architectures is kept to maintain backward compatibility with the old
+	// seccomp profile.
+	Architectures []specs.Arch   `json:"architectures,omitempty"`
+	ArchMap       []Architecture `json:"archMap,omitempty"`
+	Syscalls      []*Syscall     `json:"syscalls"`
+}
+
+// Architecture is used to represent a specific architecture
+// and its sub-architectures
+type Architecture struct {
+	Arch      specs.Arch   `json:"architecture"`
+	SubArches []specs.Arch `json:"subArchitectures"`
+}
+
+// Filter is used to conditionally apply Seccomp rules
+type Filter struct {
+	Caps      []string `json:"caps,omitempty"`
+	Arches    []string `json:"arches,omitempty"`
+	MinKernel string   `json:"minKernel,omitempty"`
+}
+
+// Syscall is used to match a group of syscalls in Seccomp
+type Syscall struct {
+	Name     string                   `json:"name,omitempty"`
+	Names    []string                 `json:"names,omitempty"`
+	Action   specs.LinuxSeccompAction `json:"action"`
+	Args     []*specs.LinuxSeccompArg `json:"args"`
+	Comment  string                   `json:"comment"`
+	Includes Filter                   `json:"includes"`
+	Excludes Filter                   `json:"excludes"`
+}

profiles/seccomp/seccomp_linux.go

@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"runtime"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/pkg/parsers/kernel"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )
@@ -20,7 +19,7 @@ func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
 
 // LoadProfile takes a json string and decodes the seccomp profile.
 func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
-	var config types.Seccomp
+	var config Seccomp
 	if err := json.Unmarshal([]byte(body), &config); err != nil {
 		return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)
 	}
@@ -28,21 +27,21 @@ func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
 }
 
 // libseccomp string => seccomp arch
-var nativeToSeccomp = map[string]types.Arch{
-	"x86":         types.ArchX86,
-	"amd64":       types.ArchX86_64,
-	"arm":         types.ArchARM,
-	"arm64":       types.ArchAARCH64,
-	"mips64":      types.ArchMIPS64,
-	"mips64n32":   types.ArchMIPS64N32,
-	"mipsel64":    types.ArchMIPSEL64,
-	"mips3l64n32": types.ArchMIPSEL64N32,
-	"mipsle":      types.ArchMIPSEL,
-	"ppc":         types.ArchPPC,
-	"ppc64":       types.ArchPPC64,
-	"ppc64le":     types.ArchPPC64LE,
-	"s390":        types.ArchS390,
-	"s390x":       types.ArchS390X,
+var nativeToSeccomp = map[string]specs.Arch{
+	"x86":         specs.ArchX86,
+	"amd64":       specs.ArchX86_64,
+	"arm":         specs.ArchARM,
+	"arm64":       specs.ArchAARCH64,
+	"mips64":      specs.ArchMIPS64,
+	"mips64n32":   specs.ArchMIPS64N32,
+	"mipsel64":    specs.ArchMIPSEL64,
+	"mips3l64n32": specs.ArchMIPSEL64N32,
+	"mipsle":      specs.ArchMIPSEL,
+	"ppc":         specs.ArchPPC,
+	"ppc64":       specs.ArchPPC64,
+	"ppc64le":     specs.ArchPPC64LE,
+	"s390":        specs.ArchS390,
+	"s390x":       specs.ArchS390X,
 }
 
 // GOARCH => libseccomp string
@@ -74,7 +73,7 @@ func inSlice(slice []string, s string) bool {
 	return false
 }
 
-func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
 	if config == nil {
 		return nil, nil
 	}
@@ -92,9 +91,7 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e
 
 	// if config.Architectures == 0 then libseccomp will figure out the architecture to use
 	if len(config.Architectures) != 0 {
-		for _, a := range config.Architectures {
-			newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a))
-		}
+		newConfig.Architectures = config.Architectures
 	}
 
 	arch := goToNative[runtime.GOARCH]
@@ -103,16 +100,14 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e
 	if len(config.ArchMap) != 0 && archExists {
 		for _, a := range config.ArchMap {
 			if a.Arch == seccompArch {
-				newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch))
-				for _, sa := range a.SubArches {
-					newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa))
-				}
+				newConfig.Architectures = append(newConfig.Architectures, a.Arch)
+				newConfig.Architectures = append(newConfig.Architectures, a.SubArches...)
 				break
 			}
 		}
 	}
 
-	newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)
+	newConfig.DefaultAction = config.DefaultAction
 
 Loop:
 	// Loop through all syscall blocks and convert them to libcontainer format after filtering them
@@ -170,22 +165,15 @@ Loop:
 	return newConfig, nil
 }
 
-func createSpecsSyscall(names []string, action types.Action, args []*types.Arg) specs.LinuxSyscall {
+func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall {
 	newCall := specs.LinuxSyscall{
 		Names:  names,
-		Action: specs.LinuxSeccompAction(action),
+		Action: action,
 	}
 
 	// Loop through all the arguments of the syscall and convert them
 	for _, arg := range args {
-		newArg := specs.LinuxSeccompArg{
-			Index:    arg.Index,
-			Value:    arg.Value,
-			ValueTwo: arg.ValueTwo,
-			Op:       specs.LinuxSeccompOperator(arg.Op),
-		}
-
-		newCall.Args = append(newCall.Args, newArg)
+		newCall.Args = append(newCall.Args, *arg)
 	}
 	return newCall
 }

profiles/seccomp/seccomp_unsupported.go

@@ -2,11 +2,7 @@
 
 package seccomp // import "github.com/docker/docker/profiles/seccomp"
 
-import (
-	"github.com/docker/docker/api/types"
-)
-
 // DefaultProfile returns a nil pointer on unsupported systems.
-func DefaultProfile() *types.Seccomp {
+func DefaultProfile() *Seccomp {
 	return nil
 }