Переглянути джерело

move default seccomp profile into package

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Jessica Frazelle 9 роки тому
батько
коміт
bed0bb7d01

+ 3 - 2
daemon/execdriver/native/create.go

@@ -11,6 +11,7 @@ import (
 	"github.com/docker/docker/daemon/execdriver"
 	derr "github.com/docker/docker/errors"
 	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/profiles/seccomp"
 
 	"github.com/docker/docker/volume"
 	"github.com/opencontainers/runc/libcontainer/apparmor"
@@ -71,7 +72,7 @@ func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks)
 		}
 
 		if c.SeccompProfile == "" {
-			container.Seccomp = getDefaultSeccompProfile()
+			container.Seccomp = seccomp.GetDefaultProfile()
 		}
 	}
 	// add CAP_ prefix to all caps for new libcontainer update to match
@@ -88,7 +89,7 @@ func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks)
 	}
 
 	if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
-		container.Seccomp, err = loadSeccompProfile(c.SeccompProfile)
+		container.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile)
 		if err != nil {
 			return nil, err
 		}

+ 27 - 0
profiles/seccomp/fixtures/example.json

@@ -0,0 +1,27 @@
+{
+    "defaultAction": "SCMP_ACT_ERRNO",
+    "syscalls": [
+        {
+            "name": "clone",
+            "action": "SCMP_ACT_ALLOW",
+            "args": [
+                {
+                    "index": 0,
+                    "value": 2080505856,
+                    "valueTwo": 0,
+                    "op": "SCMP_CMP_MASKED_EQ"
+                }
+            ]
+        },
+        {
+            "name": "open",
+            "action": "SCMP_ACT_ALLOW",
+            "args": []
+        },
+        {
+            "name": "close",
+            "action": "SCMP_ACT_ALLOW",
+            "args": []
+        }
+    ]
+}

+ 5 - 3
daemon/execdriver/native/seccomp.go → profiles/seccomp/seccomp.go

@@ -1,6 +1,6 @@
 // +build linux
 
-package native
+package seccomp
 
 import (
 	"encoding/json"
@@ -11,11 +11,13 @@ import (
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 )
 
-func getDefaultSeccompProfile() *configs.Seccomp {
+// GetDefaultProfile returns the default seccomp profile.
+func GetDefaultProfile() *configs.Seccomp {
 	return defaultSeccompProfile
 }
 
-func loadSeccompProfile(body string) (*configs.Seccomp, error) {
+// LoadProfile takes a file path a decodes the seccomp profile.
+func LoadProfile(body string) (*configs.Seccomp, error) {
 	var config types.Seccomp
 	if err := json.Unmarshal([]byte(body), &config); err != nil {
 		return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)

+ 1 - 1
daemon/execdriver/native/seccomp_default.go → profiles/seccomp/seccomp_default.go

@@ -1,6 +1,6 @@
 // +build linux,seccomp
 
-package native
+package seccomp
 
 import (
 	"syscall"

+ 19 - 0
profiles/seccomp/seccomp_test.go

@@ -0,0 +1,19 @@
+// +build linux
+
+package seccomp
+
+import (
+	"io/ioutil"
+	"testing"
+)
+
+func TestLoadProfile(t *testing.T) {
+	f, err := ioutil.ReadFile("fixtures/example.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := LoadProfile(string(f)); err != nil {
+		t.Fatal(err)
+	}
+}

+ 1 - 1
daemon/execdriver/native/seccomp_unsupported.go → profiles/seccomp/seccomp_unsupported.go

@@ -1,6 +1,6 @@
 // +build linux,!seccomp
 
-package native
+package seccomp
 
 import "github.com/opencontainers/runc/libcontainer/configs"