Merge pull request #42005 from thaJeztah/refactor_seccomp

Refactor seccomp types to reuse runtime-spec, and add support for "ErrnoRet"

profiles/seccomp/default.json

@@ -393,11 +393,7 @@
 				"write",
 				"writev"
 			],
-			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
+			"action": "SCMP_ACT_ALLOW"
 		},
 		{
 			"names": [
@@ -406,12 +402,9 @@
 				"ptrace"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": null,
-			"comment": "",
 			"includes": {
 				"minKernel": "4.8"
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -424,10 +417,7 @@
 					"value": 0,
 					"op": "SCMP_CMP_EQ"
 				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
+			]
 		},
 		{
 			"names": [
@@ -440,10 +430,7 @@
 					"value": 8,
 					"op": "SCMP_CMP_EQ"
 				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
+			]
 		},
 		{
 			"names": [
@@ -456,10 +443,7 @@
 					"value": 131072,
 					"op": "SCMP_CMP_EQ"
 				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
+			]
 		},
 		{
 			"names": [
@@ -472,10 +456,7 @@
 					"value": 131080,
 					"op": "SCMP_CMP_EQ"
 				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
+			]
 		},
 		{
 			"names": [
@@ -488,24 +469,18 @@
 					"value": 4294967295,
 					"op": "SCMP_CMP_EQ"
 				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
+			]
 		},
 		{
 			"names": [
 				"sync_file_range2"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"arches": [
 					"ppc64le"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -517,46 +492,37 @@
 				"set_tls"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"arches": [
 					"arm",
 					"arm64"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"arch_prctl"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"arches": [
 					"amd64",
 					"x32"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"modify_ldt"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"arches": [
 					"amd64",
 					"x32",
 					"x86"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -565,29 +531,23 @@
 				"s390_runtime_instr"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"arches": [
 					"s390",
 					"s390x"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"open_by_handle_at"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_DAC_READ_SEARCH"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -614,14 +574,11 @@
 				"unshare"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_ADMIN"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -635,8 +592,6 @@
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
 			],
-			"comment": "",
-			"includes": {},
 			"excludes": {
 				"caps": [
 					"CAP_SYS_ADMIN"
@@ -677,28 +632,22 @@
 				"reboot"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_BOOT"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"chroot"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_CHROOT"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -707,28 +656,22 @@
 				"finit_module"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_MODULE"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"acct"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_PACCT"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -740,14 +683,11 @@
 				"ptrace"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_PTRACE"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -755,14 +695,11 @@
 				"ioperm"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_RAWIO"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -771,28 +708,22 @@
 				"clock_settime"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_TIME"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"vhangup"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_TTY_CONFIG"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -801,28 +732,22 @@
 				"set_mempolicy"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_NICE"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"syslog"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"args": [],
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYSLOG"
 				]
-			},
-			"excludes": {}
+			}
 		}
 	]
 }

profiles/seccomp/default_linux.go

@@ -44,662 +44,696 @@ func arches() []Architecture {
 func DefaultProfile() *Seccomp {
 	syscalls := []*Syscall{
 		{
-			Names: []string{
-				"accept",
-				"accept4",
-				"access",
-				"adjtimex",
-				"alarm",
-				"bind",
-				"brk",
-				"capget",
-				"capset",
-				"chdir",
-				"chmod",
-				"chown",
-				"chown32",
-				"clock_adjtime",
-				"clock_adjtime64",
-				"clock_getres",
-				"clock_getres_time64",
-				"clock_gettime",
-				"clock_gettime64",
-				"clock_nanosleep",
-				"clock_nanosleep_time64",
-				"close",
-				"close_range",
-				"connect",
-				"copy_file_range",
-				"creat",
-				"dup",
-				"dup2",
-				"dup3",
-				"epoll_create",
-				"epoll_create1",
-				"epoll_ctl",
-				"epoll_ctl_old",
-				"epoll_pwait",
-				"epoll_pwait2",
-				"epoll_wait",
-				"epoll_wait_old",
-				"eventfd",
-				"eventfd2",
-				"execve",
-				"execveat",
-				"exit",
-				"exit_group",
-				"faccessat",
-				"faccessat2",
-				"fadvise64",
-				"fadvise64_64",
-				"fallocate",
-				"fanotify_mark",
-				"fchdir",
-				"fchmod",
-				"fchmodat",
-				"fchown",
-				"fchown32",
-				"fchownat",
-				"fcntl",
-				"fcntl64",
-				"fdatasync",
-				"fgetxattr",
-				"flistxattr",
-				"flock",
-				"fork",
-				"fremovexattr",
-				"fsetxattr",
-				"fstat",
-				"fstat64",
-				"fstatat64",
-				"fstatfs",
-				"fstatfs64",
-				"fsync",
-				"ftruncate",
-				"ftruncate64",
-				"futex",
-				"futex_time64",
-				"futimesat",
-				"getcpu",
-				"getcwd",
-				"getdents",
-				"getdents64",
-				"getegid",
-				"getegid32",
-				"geteuid",
-				"geteuid32",
-				"getgid",
-				"getgid32",
-				"getgroups",
-				"getgroups32",
-				"getitimer",
-				"getpeername",
-				"getpgid",
-				"getpgrp",
-				"getpid",
-				"getppid",
-				"getpriority",
-				"getrandom",
-				"getresgid",
-				"getresgid32",
-				"getresuid",
-				"getresuid32",
-				"getrlimit",
-				"get_robust_list",
-				"getrusage",
-				"getsid",
-				"getsockname",
-				"getsockopt",
-				"get_thread_area",
-				"gettid",
-				"gettimeofday",
-				"getuid",
-				"getuid32",
-				"getxattr",
-				"inotify_add_watch",
-				"inotify_init",
-				"inotify_init1",
-				"inotify_rm_watch",
-				"io_cancel",
-				"ioctl",
-				"io_destroy",
-				"io_getevents",
-				"io_pgetevents",
-				"io_pgetevents_time64",
-				"ioprio_get",
-				"ioprio_set",
-				"io_setup",
-				"io_submit",
-				"io_uring_enter",
-				"io_uring_register",
-				"io_uring_setup",
-				"ipc",
-				"kill",
-				"lchown",
-				"lchown32",
-				"lgetxattr",
-				"link",
-				"linkat",
-				"listen",
-				"listxattr",
-				"llistxattr",
-				"_llseek",
-				"lremovexattr",
-				"lseek",
-				"lsetxattr",
-				"lstat",
-				"lstat64",
-				"madvise",
-				"membarrier",
-				"memfd_create",
-				"mincore",
-				"mkdir",
-				"mkdirat",
-				"mknod",
-				"mknodat",
-				"mlock",
-				"mlock2",
-				"mlockall",
-				"mmap",
-				"mmap2",
-				"mprotect",
-				"mq_getsetattr",
-				"mq_notify",
-				"mq_open",
-				"mq_timedreceive",
-				"mq_timedreceive_time64",
-				"mq_timedsend",
-				"mq_timedsend_time64",
-				"mq_unlink",
-				"mremap",
-				"msgctl",
-				"msgget",
-				"msgrcv",
-				"msgsnd",
-				"msync",
-				"munlock",
-				"munlockall",
-				"munmap",
-				"nanosleep",
-				"newfstatat",
-				"_newselect",
-				"open",
-				"openat",
-				"openat2",
-				"pause",
-				"pidfd_open",
-				"pidfd_send_signal",
-				"pipe",
-				"pipe2",
-				"poll",
-				"ppoll",
-				"ppoll_time64",
-				"prctl",
-				"pread64",
-				"preadv",
-				"preadv2",
-				"prlimit64",
-				"pselect6",
-				"pselect6_time64",
-				"pwrite64",
-				"pwritev",
-				"pwritev2",
-				"read",
-				"readahead",
-				"readlink",
-				"readlinkat",
-				"readv",
-				"recv",
-				"recvfrom",
-				"recvmmsg",
-				"recvmmsg_time64",
-				"recvmsg",
-				"remap_file_pages",
-				"removexattr",
-				"rename",
-				"renameat",
-				"renameat2",
-				"restart_syscall",
-				"rmdir",
-				"rseq",
-				"rt_sigaction",
-				"rt_sigpending",
-				"rt_sigprocmask",
-				"rt_sigqueueinfo",
-				"rt_sigreturn",
-				"rt_sigsuspend",
-				"rt_sigtimedwait",
-				"rt_sigtimedwait_time64",
-				"rt_tgsigqueueinfo",
-				"sched_getaffinity",
-				"sched_getattr",
-				"sched_getparam",
-				"sched_get_priority_max",
-				"sched_get_priority_min",
-				"sched_getscheduler",
-				"sched_rr_get_interval",
-				"sched_rr_get_interval_time64",
-				"sched_setaffinity",
-				"sched_setattr",
-				"sched_setparam",
-				"sched_setscheduler",
-				"sched_yield",
-				"seccomp",
-				"select",
-				"semctl",
-				"semget",
-				"semop",
-				"semtimedop",
-				"semtimedop_time64",
-				"send",
-				"sendfile",
-				"sendfile64",
-				"sendmmsg",
-				"sendmsg",
-				"sendto",
-				"setfsgid",
-				"setfsgid32",
-				"setfsuid",
-				"setfsuid32",
-				"setgid",
-				"setgid32",
-				"setgroups",
-				"setgroups32",
-				"setitimer",
-				"setpgid",
-				"setpriority",
-				"setregid",
-				"setregid32",
-				"setresgid",
-				"setresgid32",
-				"setresuid",
-				"setresuid32",
-				"setreuid",
-				"setreuid32",
-				"setrlimit",
-				"set_robust_list",
-				"setsid",
-				"setsockopt",
-				"set_thread_area",
-				"set_tid_address",
-				"setuid",
-				"setuid32",
-				"setxattr",
-				"shmat",
-				"shmctl",
-				"shmdt",
-				"shmget",
-				"shutdown",
-				"sigaltstack",
-				"signalfd",
-				"signalfd4",
-				"sigprocmask",
-				"sigreturn",
-				"socket",
-				"socketcall",
-				"socketpair",
-				"splice",
-				"stat",
-				"stat64",
-				"statfs",
-				"statfs64",
-				"statx",
-				"symlink",
-				"symlinkat",
-				"sync",
-				"sync_file_range",
-				"syncfs",
-				"sysinfo",
-				"tee",
-				"tgkill",
-				"time",
-				"timer_create",
-				"timer_delete",
-				"timer_getoverrun",
-				"timer_gettime",
-				"timer_gettime64",
-				"timer_settime",
-				"timer_settime64",
-				"timerfd_create",
-				"timerfd_gettime",
-				"timerfd_gettime64",
-				"timerfd_settime",
-				"timerfd_settime64",
-				"times",
-				"tkill",
-				"truncate",
-				"truncate64",
-				"ugetrlimit",
-				"umask",
-				"uname",
-				"unlink",
-				"unlinkat",
-				"utime",
-				"utimensat",
-				"utimensat_time64",
-				"utimes",
-				"vfork",
-				"vmsplice",
-				"wait4",
-				"waitid",
-				"waitpid",
-				"write",
-				"writev",
-			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-		},
-		{
-			Names: []string{
-				"process_vm_readv",
-				"process_vm_writev",
-				"ptrace",
-			},
-			Action: specs.ActAllow,
-			Includes: Filter{
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"accept",
+					"accept4",
+					"access",
+					"adjtimex",
+					"alarm",
+					"bind",
+					"brk",
+					"capget",
+					"capset",
+					"chdir",
+					"chmod",
+					"chown",
+					"chown32",
+					"clock_adjtime",
+					"clock_adjtime64",
+					"clock_getres",
+					"clock_getres_time64",
+					"clock_gettime",
+					"clock_gettime64",
+					"clock_nanosleep",
+					"clock_nanosleep_time64",
+					"close",
+					"close_range",
+					"connect",
+					"copy_file_range",
+					"creat",
+					"dup",
+					"dup2",
+					"dup3",
+					"epoll_create",
+					"epoll_create1",
+					"epoll_ctl",
+					"epoll_ctl_old",
+					"epoll_pwait",
+					"epoll_pwait2",
+					"epoll_wait",
+					"epoll_wait_old",
+					"eventfd",
+					"eventfd2",
+					"execve",
+					"execveat",
+					"exit",
+					"exit_group",
+					"faccessat",
+					"faccessat2",
+					"fadvise64",
+					"fadvise64_64",
+					"fallocate",
+					"fanotify_mark",
+					"fchdir",
+					"fchmod",
+					"fchmodat",
+					"fchown",
+					"fchown32",
+					"fchownat",
+					"fcntl",
+					"fcntl64",
+					"fdatasync",
+					"fgetxattr",
+					"flistxattr",
+					"flock",
+					"fork",
+					"fremovexattr",
+					"fsetxattr",
+					"fstat",
+					"fstat64",
+					"fstatat64",
+					"fstatfs",
+					"fstatfs64",
+					"fsync",
+					"ftruncate",
+					"ftruncate64",
+					"futex",
+					"futex_time64",
+					"futimesat",
+					"getcpu",
+					"getcwd",
+					"getdents",
+					"getdents64",
+					"getegid",
+					"getegid32",
+					"geteuid",
+					"geteuid32",
+					"getgid",
+					"getgid32",
+					"getgroups",
+					"getgroups32",
+					"getitimer",
+					"getpeername",
+					"getpgid",
+					"getpgrp",
+					"getpid",
+					"getppid",
+					"getpriority",
+					"getrandom",
+					"getresgid",
+					"getresgid32",
+					"getresuid",
+					"getresuid32",
+					"getrlimit",
+					"get_robust_list",
+					"getrusage",
+					"getsid",
+					"getsockname",
+					"getsockopt",
+					"get_thread_area",
+					"gettid",
+					"gettimeofday",
+					"getuid",
+					"getuid32",
+					"getxattr",
+					"inotify_add_watch",
+					"inotify_init",
+					"inotify_init1",
+					"inotify_rm_watch",
+					"io_cancel",
+					"ioctl",
+					"io_destroy",
+					"io_getevents",
+					"io_pgetevents",
+					"io_pgetevents_time64",
+					"ioprio_get",
+					"ioprio_set",
+					"io_setup",
+					"io_submit",
+					"io_uring_enter",
+					"io_uring_register",
+					"io_uring_setup",
+					"ipc",
+					"kill",
+					"lchown",
+					"lchown32",
+					"lgetxattr",
+					"link",
+					"linkat",
+					"listen",
+					"listxattr",
+					"llistxattr",
+					"_llseek",
+					"lremovexattr",
+					"lseek",
+					"lsetxattr",
+					"lstat",
+					"lstat64",
+					"madvise",
+					"membarrier",
+					"memfd_create",
+					"mincore",
+					"mkdir",
+					"mkdirat",
+					"mknod",
+					"mknodat",
+					"mlock",
+					"mlock2",
+					"mlockall",
+					"mmap",
+					"mmap2",
+					"mprotect",
+					"mq_getsetattr",
+					"mq_notify",
+					"mq_open",
+					"mq_timedreceive",
+					"mq_timedreceive_time64",
+					"mq_timedsend",
+					"mq_timedsend_time64",
+					"mq_unlink",
+					"mremap",
+					"msgctl",
+					"msgget",
+					"msgrcv",
+					"msgsnd",
+					"msync",
+					"munlock",
+					"munlockall",
+					"munmap",
+					"nanosleep",
+					"newfstatat",
+					"_newselect",
+					"open",
+					"openat",
+					"openat2",
+					"pause",
+					"pidfd_open",
+					"pidfd_send_signal",
+					"pipe",
+					"pipe2",
+					"poll",
+					"ppoll",
+					"ppoll_time64",
+					"prctl",
+					"pread64",
+					"preadv",
+					"preadv2",
+					"prlimit64",
+					"pselect6",
+					"pselect6_time64",
+					"pwrite64",
+					"pwritev",
+					"pwritev2",
+					"read",
+					"readahead",
+					"readlink",
+					"readlinkat",
+					"readv",
+					"recv",
+					"recvfrom",
+					"recvmmsg",
+					"recvmmsg_time64",
+					"recvmsg",
+					"remap_file_pages",
+					"removexattr",
+					"rename",
+					"renameat",
+					"renameat2",
+					"restart_syscall",
+					"rmdir",
+					"rseq",
+					"rt_sigaction",
+					"rt_sigpending",
+					"rt_sigprocmask",
+					"rt_sigqueueinfo",
+					"rt_sigreturn",
+					"rt_sigsuspend",
+					"rt_sigtimedwait",
+					"rt_sigtimedwait_time64",
+					"rt_tgsigqueueinfo",
+					"sched_getaffinity",
+					"sched_getattr",
+					"sched_getparam",
+					"sched_get_priority_max",
+					"sched_get_priority_min",
+					"sched_getscheduler",
+					"sched_rr_get_interval",
+					"sched_rr_get_interval_time64",
+					"sched_setaffinity",
+					"sched_setattr",
+					"sched_setparam",
+					"sched_setscheduler",
+					"sched_yield",
+					"seccomp",
+					"select",
+					"semctl",
+					"semget",
+					"semop",
+					"semtimedop",
+					"semtimedop_time64",
+					"send",
+					"sendfile",
+					"sendfile64",
+					"sendmmsg",
+					"sendmsg",
+					"sendto",
+					"setfsgid",
+					"setfsgid32",
+					"setfsuid",
+					"setfsuid32",
+					"setgid",
+					"setgid32",
+					"setgroups",
+					"setgroups32",
+					"setitimer",
+					"setpgid",
+					"setpriority",
+					"setregid",
+					"setregid32",
+					"setresgid",
+					"setresgid32",
+					"setresuid",
+					"setresuid32",
+					"setreuid",
+					"setreuid32",
+					"setrlimit",
+					"set_robust_list",
+					"setsid",
+					"setsockopt",
+					"set_thread_area",
+					"set_tid_address",
+					"setuid",
+					"setuid32",
+					"setxattr",
+					"shmat",
+					"shmctl",
+					"shmdt",
+					"shmget",
+					"shutdown",
+					"sigaltstack",
+					"signalfd",
+					"signalfd4",
+					"sigprocmask",
+					"sigreturn",
+					"socket",
+					"socketcall",
+					"socketpair",
+					"splice",
+					"stat",
+					"stat64",
+					"statfs",
+					"statfs64",
+					"statx",
+					"symlink",
+					"symlinkat",
+					"sync",
+					"sync_file_range",
+					"syncfs",
+					"sysinfo",
+					"tee",
+					"tgkill",
+					"time",
+					"timer_create",
+					"timer_delete",
+					"timer_getoverrun",
+					"timer_gettime",
+					"timer_gettime64",
+					"timer_settime",
+					"timer_settime64",
+					"timerfd_create",
+					"timerfd_gettime",
+					"timerfd_gettime64",
+					"timerfd_settime",
+					"timerfd_settime64",
+					"times",
+					"tkill",
+					"truncate",
+					"truncate64",
+					"ugetrlimit",
+					"umask",
+					"uname",
+					"unlink",
+					"unlinkat",
+					"utime",
+					"utimensat",
+					"utimensat_time64",
+					"utimes",
+					"vfork",
+					"vmsplice",
+					"wait4",
+					"waitid",
+					"waitpid",
+					"write",
+					"writev",
+				},
+				Action: specs.ActAllow,
+			},
+		},
+		{
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"process_vm_readv",
+					"process_vm_writev",
+					"ptrace",
+				},
+				Action: specs.ActAllow,
+			},
+			Includes: &Filter{
 				MinKernel: &KernelVersion{4, 8},
 			},
 		},
 		{
-			Names:  []string{"personality"},
-			Action: specs.ActAllow,
-			Args: []*specs.LinuxSeccompArg{
-				{
-					Index: 0,
-					Value: 0x0,
-					Op:    specs.OpEqualTo,
+			LinuxSyscall: specs.LinuxSyscall{
+				Names:  []string{"personality"},
+				Action: specs.ActAllow,
+				Args: []specs.LinuxSeccompArg{
+					{
+						Index: 0,
+						Value: 0x0,
+						Op:    specs.OpEqualTo,
+					},
 				},
 			},
 		},
 		{
-			Names:  []string{"personality"},
-			Action: specs.ActAllow,
-			Args: []*specs.LinuxSeccompArg{
-				{
-					Index: 0,
-					Value: 0x0008,
-					Op:    specs.OpEqualTo,
+			LinuxSyscall: specs.LinuxSyscall{
+				Names:  []string{"personality"},
+				Action: specs.ActAllow,
+				Args: []specs.LinuxSeccompArg{
+					{
+						Index: 0,
+						Value: 0x0008,
+						Op:    specs.OpEqualTo,
+					},
 				},
 			},
 		},
 		{
-			Names:  []string{"personality"},
-			Action: specs.ActAllow,
-			Args: []*specs.LinuxSeccompArg{
-				{
-					Index: 0,
-					Value: 0x20000,
-					Op:    specs.OpEqualTo,
+			LinuxSyscall: specs.LinuxSyscall{
+				Names:  []string{"personality"},
+				Action: specs.ActAllow,
+				Args: []specs.LinuxSeccompArg{
+					{
+						Index: 0,
+						Value: 0x20000,
+						Op:    specs.OpEqualTo,
+					},
 				},
 			},
 		},
 		{
-			Names:  []string{"personality"},
-			Action: specs.ActAllow,
-			Args: []*specs.LinuxSeccompArg{
-				{
-					Index: 0,
-					Value: 0x20008,
-					Op:    specs.OpEqualTo,
+			LinuxSyscall: specs.LinuxSyscall{
+				Names:  []string{"personality"},
+				Action: specs.ActAllow,
+				Args: []specs.LinuxSeccompArg{
+					{
+						Index: 0,
+						Value: 0x20008,
+						Op:    specs.OpEqualTo,
+					},
 				},
 			},
 		},
 		{
-			Names:  []string{"personality"},
-			Action: specs.ActAllow,
-			Args: []*specs.LinuxSeccompArg{
-				{
-					Index: 0,
-					Value: 0xffffffff,
-					Op:    specs.OpEqualTo,
+			LinuxSyscall: specs.LinuxSyscall{
+				Names:  []string{"personality"},
+				Action: specs.ActAllow,
+				Args: []specs.LinuxSeccompArg{
+					{
+						Index: 0,
+						Value: 0xffffffff,
+						Op:    specs.OpEqualTo,
+					},
 				},
 			},
 		},
 		{
-			Names: []string{
-				"sync_file_range2",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"sync_file_range2",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Arches: []string{"ppc64le"},
 			},
 		},
 		{
-			Names: []string{
-				"arm_fadvise64_64",
-				"arm_sync_file_range",
-				"sync_file_range2",
-				"breakpoint",
-				"cacheflush",
-				"set_tls",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"arm_fadvise64_64",
+					"arm_sync_file_range",
+					"sync_file_range2",
+					"breakpoint",
+					"cacheflush",
+					"set_tls",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Arches: []string{"arm", "arm64"},
 			},
 		},
 		{
-			Names: []string{
-				"arch_prctl",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"arch_prctl",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Arches: []string{"amd64", "x32"},
 			},
 		},
 		{
-			Names: []string{
-				"modify_ldt",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"modify_ldt",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Arches: []string{"amd64", "x32", "x86"},
 			},
 		},
 		{
-			Names: []string{
-				"s390_pci_mmio_read",
-				"s390_pci_mmio_write",
-				"s390_runtime_instr",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"s390_pci_mmio_read",
+					"s390_pci_mmio_write",
+					"s390_runtime_instr",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Arches: []string{"s390", "s390x"},
 			},
 		},
 		{
-			Names: []string{
-				"open_by_handle_at",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"open_by_handle_at",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_DAC_READ_SEARCH"},
 			},
 		},
 		{
-			Names: []string{
-				"bpf",
-				"clone",
-				"fanotify_init",
-				"fsconfig",
-				"fsmount",
-				"fsopen",
-				"fspick",
-				"lookup_dcookie",
-				"mount",
-				"move_mount",
-				"name_to_handle_at",
-				"open_tree",
-				"perf_event_open",
-				"quotactl",
-				"setdomainname",
-				"sethostname",
-				"setns",
-				"syslog",
-				"umount",
-				"umount2",
-				"unshare",
-			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"bpf",
+					"clone",
+					"fanotify_init",
+					"fsconfig",
+					"fsmount",
+					"fsopen",
+					"fspick",
+					"lookup_dcookie",
+					"mount",
+					"move_mount",
+					"name_to_handle_at",
+					"open_tree",
+					"perf_event_open",
+					"quotactl",
+					"setdomainname",
+					"sethostname",
+					"setns",
+					"syslog",
+					"umount",
+					"umount2",
+					"unshare",
+				},
+				Action: specs.ActAllow,
+			},
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_ADMIN"},
 			},
 		},
 		{
-			Names: []string{
-				"clone",
-			},
-			Action: specs.ActAllow,
-			Args: []*specs.LinuxSeccompArg{
-				{
-					Index:    0,
-					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
-					ValueTwo: 0,
-					Op:       specs.OpMaskedEqual,
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"clone",
+				},
+				Action: specs.ActAllow,
+				Args: []specs.LinuxSeccompArg{
+					{
+						Index:    0,
+						Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
+						ValueTwo: 0,
+						Op:       specs.OpMaskedEqual,
+					},
 				},
 			},
-			Excludes: Filter{
+			Excludes: &Filter{
 				Caps:   []string{"CAP_SYS_ADMIN"},
 				Arches: []string{"s390", "s390x"},
 			},
 		},
 		{
-			Names: []string{
-				"clone",
-			},
-			Action: specs.ActAllow,
-			Args: []*specs.LinuxSeccompArg{
-				{
-					Index:    1,
-					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
-					ValueTwo: 0,
-					Op:       specs.OpMaskedEqual,
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"clone",
+				},
+				Action: specs.ActAllow,
+				Args: []specs.LinuxSeccompArg{
+					{
+						Index:    1,
+						Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
+						ValueTwo: 0,
+						Op:       specs.OpMaskedEqual,
+					},
 				},
 			},
 			Comment: "s390 parameter ordering for clone is different",
-			Includes: Filter{
+			Includes: &Filter{
 				Arches: []string{"s390", "s390x"},
 			},
-			Excludes: Filter{
+			Excludes: &Filter{
 				Caps: []string{"CAP_SYS_ADMIN"},
 			},
 		},
 		{
-			Names: []string{
-				"reboot",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"reboot",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_BOOT"},
 			},
 		},
 		{
-			Names: []string{
-				"chroot",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"chroot",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_CHROOT"},
 			},
 		},
 		{
-			Names: []string{
-				"delete_module",
-				"init_module",
-				"finit_module",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"delete_module",
+					"init_module",
+					"finit_module",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_MODULE"},
 			},
 		},
 		{
-			Names: []string{
-				"acct",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"acct",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_PACCT"},
 			},
 		},
 		{
-			Names: []string{
-				"kcmp",
-				"pidfd_getfd",
-				"process_madvise",
-				"process_vm_readv",
-				"process_vm_writev",
-				"ptrace",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"kcmp",
+					"pidfd_getfd",
+					"process_madvise",
+					"process_vm_readv",
+					"process_vm_writev",
+					"ptrace",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_PTRACE"},
 			},
 		},
 		{
-			Names: []string{
-				"iopl",
-				"ioperm",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"iopl",
+					"ioperm",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_RAWIO"},
 			},
 		},
 		{
-			Names: []string{
-				"settimeofday",
-				"stime",
-				"clock_settime",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"settimeofday",
+					"stime",
+					"clock_settime",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_TIME"},
 			},
 		},
 		{
-			Names: []string{
-				"vhangup",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"vhangup",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_TTY_CONFIG"},
 			},
 		},
 		{
-			Names: []string{
-				"get_mempolicy",
-				"mbind",
-				"set_mempolicy",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"get_mempolicy",
+					"mbind",
+					"set_mempolicy",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_NICE"},
 			},
 		},
 		{
-			Names: []string{
-				"syslog",
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"syslog",
+				},
+				Action: specs.ActAllow,
 			},
-			Action: specs.ActAllow,
-			Args:   []*specs.LinuxSeccompArg{},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYSLOG"},
 			},
 		},

profiles/seccomp/fixtures/example.json

@@ -22,6 +22,12 @@
             "name": "close",
             "action": "SCMP_ACT_ALLOW",
             "args": []
+        },
+        {
+            "name": "syslog",
+            "action": "SCMP_ACT_ERRNO",
+            "errnoRet": 12345,
+            "args": []
         }
     ]
 }

profiles/seccomp/seccomp.go

@@ -40,15 +40,18 @@ type Filter struct {
 	MinKernel *KernelVersion `json:"minKernel,omitempty"`
 }
 
-// Syscall is used to match a group of syscalls in Seccomp
+// Syscall is used to match a group of syscalls in Seccomp. It extends the
+// runtime-spec Syscall type, adding a "Name" field for backward compatibility
+// with older JSON representations, additional "Comment" metadata, and conditional
+// rules ("Includes", "Excludes") used to generate a runtime-spec Seccomp profile
+// based on the container (capabilities) and host's (arch, kernel) configuration.
 type Syscall struct {
-	Name     string                   `json:"name,omitempty"`
-	Names    []string                 `json:"names,omitempty"`
-	Action   specs.LinuxSeccompAction `json:"action"`
-	Args     []*specs.LinuxSeccompArg `json:"args"`
-	Comment  string                   `json:"comment"`
-	Includes Filter                   `json:"includes"`
-	Excludes Filter                   `json:"excludes"`
+	specs.LinuxSyscall
+	// Deprecated: kept for backward compatibility with old JSON profiles, use Names instead
+	Name     string  `json:"name,omitempty"`
+	Comment  string  `json:"comment,omitempty"`
+	Includes *Filter `json:"includes,omitempty"`
+	Excludes *Filter `json:"excludes,omitempty"`
 }
 
 // KernelVersion holds information about the kernel.

profiles/seccomp/seccomp_linux.go

@@ -111,68 +111,58 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error)
 Loop:
 	// Loop through all syscall blocks and convert them to libcontainer format after filtering them
 	for _, call := range config.Syscalls {
-		if len(call.Excludes.Arches) > 0 {
-			if inSlice(call.Excludes.Arches, arch) {
-				continue Loop
-			}
-		}
-		if len(call.Excludes.Caps) > 0 {
-			for _, c := range call.Excludes.Caps {
-				if inSlice(rs.Process.Capabilities.Bounding, c) {
+		if call.Excludes != nil {
+			if len(call.Excludes.Arches) > 0 {
+				if inSlice(call.Excludes.Arches, arch) {
 					continue Loop
 				}
 			}
-		}
-		if call.Excludes.MinKernel != nil {
-			if ok, err := kernelGreaterEqualThan(*call.Excludes.MinKernel); err != nil {
-				return nil, err
-			} else if ok {
-				continue Loop
+			if len(call.Excludes.Caps) > 0 {
+				for _, c := range call.Excludes.Caps {
+					if inSlice(rs.Process.Capabilities.Bounding, c) {
+						continue Loop
+					}
+				}
 			}
-		}
-		if len(call.Includes.Arches) > 0 {
-			if !inSlice(call.Includes.Arches, arch) {
-				continue Loop
+			if call.Excludes.MinKernel != nil {
+				if ok, err := kernelGreaterEqualThan(*call.Excludes.MinKernel); err != nil {
+					return nil, err
+				} else if ok {
+					continue Loop
+				}
 			}
 		}
-		if len(call.Includes.Caps) > 0 {
-			for _, c := range call.Includes.Caps {
-				if !inSlice(rs.Process.Capabilities.Bounding, c) {
+		if call.Includes != nil {
+			if len(call.Includes.Arches) > 0 {
+				if !inSlice(call.Includes.Arches, arch) {
 					continue Loop
 				}
 			}
-		}
-		if call.Includes.MinKernel != nil {
-			if ok, err := kernelGreaterEqualThan(*call.Includes.MinKernel); err != nil {
-				return nil, err
-			} else if !ok {
-				continue Loop
+			if len(call.Includes.Caps) > 0 {
+				for _, c := range call.Includes.Caps {
+					if !inSlice(rs.Process.Capabilities.Bounding, c) {
+						continue Loop
+					}
+				}
+			}
+			if call.Includes.MinKernel != nil {
+				if ok, err := kernelGreaterEqualThan(*call.Includes.MinKernel); err != nil {
+					return nil, err
+				} else if !ok {
+					continue Loop
+				}
 			}
-		}
-
-		if call.Name != "" && len(call.Names) != 0 {
-			return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
 		}
 
 		if call.Name != "" {
-			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args))
-		} else {
-			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args))
+			if len(call.Names) != 0 {
+				return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
+			}
+			call.Names = append(call.Names, call.Name)
 		}
-	}
 
-	return newConfig, nil
-}
-
-func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall {
-	newCall := specs.LinuxSyscall{
-		Names:  names,
-		Action: action,
+		newConfig.Syscalls = append(newConfig.Syscalls, call.LinuxSyscall)
 	}
 
-	// Loop through all the arguments of the syscall and convert them
-	for _, arg := range args {
-		newCall.Args = append(newCall.Args, *arg)
-	}
-	return newCall
+	return newConfig, nil
 }

profiles/seccomp/seccomp_test.go

@@ -18,9 +18,45 @@ func TestLoadProfile(t *testing.T) {
 		t.Fatal(err)
 	}
 	rs := createSpec()
-	if _, err := LoadProfile(string(f), &rs); err != nil {
+	p, err := LoadProfile(string(f), &rs)
+	if err != nil {
 		t.Fatal(err)
 	}
+	var expectedErrno uint = 12345
+	expected := specs.LinuxSeccomp{
+		DefaultAction: "SCMP_ACT_ERRNO",
+		Syscalls: []specs.LinuxSyscall{
+			{
+				Names:  []string{"clone"},
+				Action: "SCMP_ACT_ALLOW",
+				Args: []specs.LinuxSeccompArg{{
+					Index:    0,
+					Value:    2114060288,
+					ValueTwo: 0,
+					Op:       "SCMP_CMP_MASKED_EQ",
+				}},
+			},
+			{
+
+				Names:  []string{"open"},
+				Action: "SCMP_ACT_ALLOW",
+				Args:   []specs.LinuxSeccompArg{},
+			},
+			{
+				Names:  []string{"close"},
+				Action: "SCMP_ACT_ALLOW",
+				Args:   []specs.LinuxSeccompArg{},
+			},
+			{
+				Names:    []string{"syslog"},
+				Action:   "SCMP_ACT_ERRNO",
+				ErrnoRet: &expectedErrno,
+				Args:     []specs.LinuxSeccompArg{},
+			},
+		},
+	}
+
+	assert.DeepEqual(t, expected, *p)
 }
 
 // TestLoadLegacyProfile tests loading a seccomp profile in the old format