Browse Source

Merge pull request #42604 from kinvolk/rata/seccomp-new-fields

seccomp: Sync fields with runtime-spec fields
Sebastiaan van Stijn 4 years ago
parent
commit
a2da507857
3 changed files with 49 additions and 1 deletions
  1. 5 1
      profiles/seccomp/seccomp.go
  2. 3 0
      profiles/seccomp/seccomp_linux.go
  3. 41 0
      profiles/seccomp/seccomp_test.go

+ 5 - 1
profiles/seccomp/seccomp.go

@@ -11,7 +11,11 @@ import (
 
 // Seccomp represents the config for a seccomp profile for syscall restriction.
 type Seccomp struct {
-	DefaultAction specs.LinuxSeccompAction `json:"defaultAction"`
+	DefaultAction    specs.LinuxSeccompAction `json:"defaultAction"`
+	DefaultErrnoRet  *uint                    `json:"defaultErrnoRet,omitempty"`
+	ListenerPath     string                   `json:"listenerPath,omitempty"`
+	ListenerMetadata string                   `json:"listenerMetadata,omitempty"`
+
 	// Architectures is kept to maintain backward compatibility with the old
 	// seccomp profile.
 	Architectures []specs.Arch   `json:"architectures,omitempty"`

+ 3 - 0
profiles/seccomp/seccomp_linux.go

@@ -107,6 +107,9 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error)
 	}
 
 	newConfig.DefaultAction = config.DefaultAction
+	newConfig.DefaultErrnoRet = config.DefaultErrnoRet
+	newConfig.ListenerPath = config.ListenerPath
+	newConfig.ListenerMetadata = config.ListenerMetadata
 
 Loop:
 	// Loop through all syscall blocks and convert them to libcontainer format after filtering them

+ 41 - 0
profiles/seccomp/seccomp_test.go

@@ -59,6 +59,47 @@ func TestLoadProfile(t *testing.T) {
 	assert.DeepEqual(t, expected, *p)
 }
 
+func TestLoadProfileWithDefaultErrnoRet(t *testing.T) {
+	var profile = []byte(`{
+"defaultAction": "SCMP_ACT_ERRNO",
+"defaultErrnoRet": 6
+}`)
+	rs := createSpec()
+	p, err := LoadProfile(string(profile), &rs)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expectedErrnoRet := uint(6)
+	expected := specs.LinuxSeccomp{
+		DefaultAction:   "SCMP_ACT_ERRNO",
+		DefaultErrnoRet: &expectedErrnoRet,
+	}
+
+	assert.DeepEqual(t, expected, *p)
+}
+
+func TestLoadProfileWithListenerPath(t *testing.T) {
+	var profile = []byte(`{
+"defaultAction": "SCMP_ACT_ERRNO",
+"listenerPath": "/var/run/seccompaget.sock",
+"listenerMetadata": "opaque-metadata"
+}`)
+	rs := createSpec()
+	p, err := LoadProfile(string(profile), &rs)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expected := specs.LinuxSeccomp{
+		DefaultAction:    "SCMP_ACT_ERRNO",
+		ListenerPath:     "/var/run/seccompaget.sock",
+		ListenerMetadata: "opaque-metadata",
+	}
+
+	assert.DeepEqual(t, expected, *p)
+}
+
 // TestLoadLegacyProfile tests loading a seccomp profile in the old format
 // (before https://github.com/docker/docker/pull/24510)
 func TestLoadLegacyProfile(t *testing.T) {