0ct0pu5/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

profiles/seccomp.Syscall: use pointers and omitempty

Browse source 
These fields are optional, and this makes the JSON representation
slightly less verbose.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2021-02-09 14:46:50 +01:00
parent d92739713c
commit c7cd1b9436
No known key found for this signature in database
GPG key ID: 76698F39D527CE8C
4 changed files with 81 additions and 133 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

104
profiles/seccomp/default.json
View file

@ -393,10 +393,7 @@
"write",
"writev"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {},
"excludes": {}
"action": "SCMP_ACT_ALLOW"
},
{
"names": [
@ -405,11 +402,9 @@
"ptrace"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"minKernel": "4.8"
},
"excludes": {}
}
},
{
"names": [
@ -422,10 +417,7 @@
"value": 0,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
]
},
{
"names": [
@ -438,10 +430,7 @@
"value": 8,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
]
},
{
"names": [
@ -454,10 +443,7 @@
"value": 131072,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
]
},
{
"names": [
@ -470,10 +456,7 @@
"value": 131080,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
]
},
{
"names": [
@ -486,23 +469,18 @@
"value": 4294967295,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
]
},
{
"names": [
"sync_file_range2"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"arches": [
"ppc64le"
]
},
"excludes": {}
}
},
{
"names": [
@ -514,43 +492,37 @@
"set_tls"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"arches": [
"arm",
"arm64"
]
},
"excludes": {}
}
},
{
"names": [
"arch_prctl"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"arches": [
"amd64",
"x32"
]
},
"excludes": {}
}
},
{
"names": [
"modify_ldt"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"arches": [
"amd64",
"x32",
"x86"
]
},
"excludes": {}
}
},
{
"names": [
@ -559,27 +531,23 @@
"s390_runtime_instr"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"arches": [
"s390",
"s390x"
]
},
"excludes": {}
}
},
{
"names": [
"open_by_handle_at"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"caps": [
"CAP_DAC_READ_SEARCH"
]
},
"excludes": {}
}
},
{
"names": [
@ -606,13 +574,11 @@
"unshare"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"caps": [
"CAP_SYS_ADMIN"
]
},
"excludes": {}
}
},
{
"names": [
@ -626,8 +592,6 @@
"op": "SCMP_CMP_MASKED_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_ADMIN"
@ -668,26 +632,22 @@
"reboot"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"caps": [
"CAP_SYS_BOOT"
]
},
"excludes": {}
}
},
{
"names": [
"chroot"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"caps": [
"CAP_SYS_CHROOT"
]
},
"excludes": {}
}
},
{
"names": [
@ -696,26 +656,22 @@
"finit_module"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"caps": [
"CAP_SYS_MODULE"
]
},
"excludes": {}
}
},
{
"names": [
"acct"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"caps": [
"CAP_SYS_PACCT"
]
},
"excludes": {}
}
},
{
"names": [
@ -727,13 +683,11 @@
"ptrace"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"caps": [
"CAP_SYS_PTRACE"
]
},
"excludes": {}
}
},
{
"names": [
@ -741,13 +695,11 @@
"ioperm"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"caps": [
"CAP_SYS_RAWIO"
]
},
"excludes": {}
}
},
{
"names": [
@ -756,26 +708,22 @@
"clock_settime"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"caps": [
"CAP_SYS_TIME"
]
},
"excludes": {}
}
},
{
"names": [
"vhangup"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"caps": [
"CAP_SYS_TTY_CONFIG"
]
},
"excludes": {}
}
},
{
"names": [
@ -784,26 +732,22 @@
"set_mempolicy"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"caps": [
"CAP_SYS_NICE"
]
},
"excludes": {}
}
},
{
"names": [
"syslog"
],
"action": "SCMP_ACT_ALLOW",
"comment": "",
"includes": {
"caps": [
"CAP_SYSLOG"
]
},
"excludes": {}
}
}
]
}

42
profiles/seccomp/default_linux.go
View file

@ -399,7 +399,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
MinKernel: &KernelVersion{4, 8},
},
},
@ -475,7 +475,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Arches: []string{"ppc64le"},
},
},
@ -491,7 +491,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Arches: []string{"arm", "arm64"},
},
},
@ -502,7 +502,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Arches: []string{"amd64", "x32"},
},
},
@ -513,7 +513,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Arches: []string{"amd64", "x32", "x86"},
},
},
@ -526,7 +526,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Arches: []string{"s390", "s390x"},
},
},
@ -537,7 +537,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Caps: []string{"CAP_DAC_READ_SEARCH"},
},
},
@ -568,7 +568,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Caps: []string{"CAP_SYS_ADMIN"},
},
},
@ -587,7 +587,7 @@ func DefaultProfile() *Seccomp {
},
},
},
Excludes: Filter{
Excludes: &Filter{
Caps: []string{"CAP_SYS_ADMIN"},
Arches: []string{"s390", "s390x"},
},
@ -608,10 +608,10 @@ func DefaultProfile() *Seccomp {
},
},
Comment: "s390 parameter ordering for clone is different",
Includes: Filter{
Includes: &Filter{
Arches: []string{"s390", "s390x"},
},
Excludes: Filter{
Excludes: &Filter{
Caps: []string{"CAP_SYS_ADMIN"},
},
},
@ -622,7 +622,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Caps: []string{"CAP_SYS_BOOT"},
},
},
@ -633,7 +633,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Caps: []string{"CAP_SYS_CHROOT"},
},
},
@ -646,7 +646,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Caps: []string{"CAP_SYS_MODULE"},
},
},
@ -657,7 +657,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Caps: []string{"CAP_SYS_PACCT"},
},
},
@ -673,7 +673,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Caps: []string{"CAP_SYS_PTRACE"},
},
},
@ -685,7 +685,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Caps: []string{"CAP_SYS_RAWIO"},
},
},
@ -698,7 +698,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Caps: []string{"CAP_SYS_TIME"},
},
},
@ -709,7 +709,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Caps: []string{"CAP_SYS_TTY_CONFIG"},
},
},
@ -722,7 +722,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Caps: []string{"CAP_SYS_NICE"},
},
},
@ -733,7 +733,7 @@ func DefaultProfile() *Seccomp {
},
Action: specs.ActAllow,
},
Includes: Filter{
Includes: &Filter{
Caps: []string{"CAP_SYSLOG"},
},
},

8
profiles/seccomp/seccomp.go
View file

@ -48,10 +48,10 @@ type Filter struct {
type Syscall struct {
specs.LinuxSyscall
// Deprecated: kept for backward compatibility with old JSON profiles, use Names instead
Name string `json:"name,omitempty"`
Comment string `json:"comment"`
Includes Filter `json:"includes"`
Excludes Filter `json:"excludes"`
Name string `json:"name,omitempty"`
Comment string `json:"comment,omitempty"`
Includes *Filter `json:"includes,omitempty"`
Excludes *Filter `json:"excludes,omitempty"`
}
// KernelVersion holds information about the kernel.

60
profiles/seccomp/seccomp_linux.go
View file

@ -111,42 +111,46 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error)
Loop:
// Loop through all syscall blocks and convert them to libcontainer format after filtering them
for _, call := range config.Syscalls {
if len(call.Excludes.Arches) > 0 {
if inSlice(call.Excludes.Arches, arch) {
continue Loop
if call.Excludes != nil {
if len(call.Excludes.Arches) > 0 {
if inSlice(call.Excludes.Arches, arch) {
continue Loop
}
}
}
if len(call.Excludes.Caps) > 0 {
for _, c := range call.Excludes.Caps {
if inSlice(rs.Process.Capabilities.Bounding, c) {
if len(call.Excludes.Caps) > 0 {
for _, c := range call.Excludes.Caps {
if inSlice(rs.Process.Capabilities.Bounding, c) {
continue Loop
}
}
}
if call.Excludes.MinKernel != nil {
if ok, err := kernelGreaterEqualThan(*call.Excludes.MinKernel); err != nil {
return nil, err
} else if ok {
continue Loop
}
}
}
if call.Excludes.MinKernel != nil {
if ok, err := kernelGreaterEqualThan(*call.Excludes.MinKernel); err != nil {
return nil, err
} else if ok {
continue Loop
}
}
if len(call.Includes.Arches) > 0 {
if !inSlice(call.Includes.Arches, arch) {
continue Loop
}
}
if len(call.Includes.Caps) > 0 {
for _, c := range call.Includes.Caps {
if !inSlice(rs.Process.Capabilities.Bounding, c) {
if call.Includes != nil {
if len(call.Includes.Arches) > 0 {
if !inSlice(call.Includes.Arches, arch) {
continue Loop
}
}
}
if call.Includes.MinKernel != nil {
if ok, err := kernelGreaterEqualThan(*call.Includes.MinKernel); err != nil {
return nil, err
} else if !ok {
continue Loop
if len(call.Includes.Caps) > 0 {
for _, c := range call.Includes.Caps {
if !inSlice(rs.Process.Capabilities.Bounding, c) {
continue Loop
}
}
}
if call.Includes.MinKernel != nil {
if ok, err := kernelGreaterEqualThan(*call.Includes.MinKernel); err != nil {
return nil, err
} else if !ok {
continue Loop
}
}
}