diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index 632cefbe0a..2f14e58257 100644 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -393,10 +393,7 @@ "write", "writev" ], - "action": "SCMP_ACT_ALLOW", - "comment": "", - "includes": {}, - "excludes": {} + "action": "SCMP_ACT_ALLOW" }, { "names": [ @@ -405,11 +402,9 @@ "ptrace" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "minKernel": "4.8" - }, - "excludes": {} + } }, { "names": [ @@ -422,10 +417,7 @@ "value": 0, "op": "SCMP_CMP_EQ" } - ], - "comment": "", - "includes": {}, - "excludes": {} + ] }, { "names": [ @@ -438,10 +430,7 @@ "value": 8, "op": "SCMP_CMP_EQ" } - ], - "comment": "", - "includes": {}, - "excludes": {} + ] }, { "names": [ @@ -454,10 +443,7 @@ "value": 131072, "op": "SCMP_CMP_EQ" } - ], - "comment": "", - "includes": {}, - "excludes": {} + ] }, { "names": [ @@ -470,10 +456,7 @@ "value": 131080, "op": "SCMP_CMP_EQ" } - ], - "comment": "", - "includes": {}, - "excludes": {} + ] }, { "names": [ @@ -486,23 +469,18 @@ "value": 4294967295, "op": "SCMP_CMP_EQ" } - ], - "comment": "", - "includes": {}, - "excludes": {} + ] }, { "names": [ "sync_file_range2" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "arches": [ "ppc64le" ] - }, - "excludes": {} + } }, { "names": [ @@ -514,43 +492,37 @@ "set_tls" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "arches": [ "arm", "arm64" ] - }, - "excludes": {} + } }, { "names": [ "arch_prctl" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "arches": [ "amd64", "x32" ] - }, - "excludes": {} + } }, { "names": [ "modify_ldt" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "arches": [ "amd64", "x32", "x86" ] - }, - "excludes": {} + } }, { "names": [ @@ -559,27 +531,23 @@ "s390_runtime_instr" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "arches": [ "s390", "s390x" ] - }, - "excludes": {} + } }, { "names": [ "open_by_handle_at" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "caps": [ "CAP_DAC_READ_SEARCH" ] - }, - "excludes": {} + } }, { "names": [ @@ -606,13 +574,11 @@ "unshare" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "caps": [ "CAP_SYS_ADMIN" ] - }, - "excludes": {} + } }, { "names": [ @@ -626,8 +592,6 @@ "op": "SCMP_CMP_MASKED_EQ" } ], - "comment": "", - "includes": {}, "excludes": { "caps": [ "CAP_SYS_ADMIN" @@ -668,26 +632,22 @@ "reboot" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "caps": [ "CAP_SYS_BOOT" ] - }, - "excludes": {} + } }, { "names": [ "chroot" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "caps": [ "CAP_SYS_CHROOT" ] - }, - "excludes": {} + } }, { "names": [ @@ -696,26 +656,22 @@ "finit_module" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "caps": [ "CAP_SYS_MODULE" ] - }, - "excludes": {} + } }, { "names": [ "acct" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "caps": [ "CAP_SYS_PACCT" ] - }, - "excludes": {} + } }, { "names": [ @@ -727,13 +683,11 @@ "ptrace" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "caps": [ "CAP_SYS_PTRACE" ] - }, - "excludes": {} + } }, { "names": [ @@ -741,13 +695,11 @@ "ioperm" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "caps": [ "CAP_SYS_RAWIO" ] - }, - "excludes": {} + } }, { "names": [ @@ -756,26 +708,22 @@ "clock_settime" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "caps": [ "CAP_SYS_TIME" ] - }, - "excludes": {} + } }, { "names": [ "vhangup" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "caps": [ "CAP_SYS_TTY_CONFIG" ] - }, - "excludes": {} + } }, { "names": [ @@ -784,26 +732,22 @@ "set_mempolicy" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "caps": [ "CAP_SYS_NICE" ] - }, - "excludes": {} + } }, { "names": [ "syslog" ], "action": "SCMP_ACT_ALLOW", - "comment": "", "includes": { "caps": [ "CAP_SYSLOG" ] - }, - "excludes": {} + } } ] } \ No newline at end of file diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index f0319dac60..1c2471553f 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -399,7 +399,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ MinKernel: &KernelVersion{4, 8}, }, }, @@ -475,7 +475,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Arches: []string{"ppc64le"}, }, }, @@ -491,7 +491,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Arches: []string{"arm", "arm64"}, }, }, @@ -502,7 +502,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Arches: []string{"amd64", "x32"}, }, }, @@ -513,7 +513,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Arches: []string{"amd64", "x32", "x86"}, }, }, @@ -526,7 +526,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Arches: []string{"s390", "s390x"}, }, }, @@ -537,7 +537,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_DAC_READ_SEARCH"}, }, }, @@ -568,7 +568,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_ADMIN"}, }, }, @@ -587,7 +587,7 @@ func DefaultProfile() *Seccomp { }, }, }, - Excludes: Filter{ + Excludes: &Filter{ Caps: []string{"CAP_SYS_ADMIN"}, Arches: []string{"s390", "s390x"}, }, @@ -608,10 +608,10 @@ func DefaultProfile() *Seccomp { }, }, Comment: "s390 parameter ordering for clone is different", - Includes: Filter{ + Includes: &Filter{ Arches: []string{"s390", "s390x"}, }, - Excludes: Filter{ + Excludes: &Filter{ Caps: []string{"CAP_SYS_ADMIN"}, }, }, @@ -622,7 +622,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_BOOT"}, }, }, @@ -633,7 +633,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_CHROOT"}, }, }, @@ -646,7 +646,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_MODULE"}, }, }, @@ -657,7 +657,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_PACCT"}, }, }, @@ -673,7 +673,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_PTRACE"}, }, }, @@ -685,7 +685,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_RAWIO"}, }, }, @@ -698,7 +698,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_TIME"}, }, }, @@ -709,7 +709,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_TTY_CONFIG"}, }, }, @@ -722,7 +722,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_NICE"}, }, }, @@ -733,7 +733,7 @@ func DefaultProfile() *Seccomp { }, Action: specs.ActAllow, }, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYSLOG"}, }, }, diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go index 843fd6bbe7..94a37367d0 100644 --- a/profiles/seccomp/seccomp.go +++ b/profiles/seccomp/seccomp.go @@ -48,10 +48,10 @@ type Filter struct { type Syscall struct { specs.LinuxSyscall // Deprecated: kept for backward compatibility with old JSON profiles, use Names instead - Name string `json:"name,omitempty"` - Comment string `json:"comment"` - Includes Filter `json:"includes"` - Excludes Filter `json:"excludes"` + Name string `json:"name,omitempty"` + Comment string `json:"comment,omitempty"` + Includes *Filter `json:"includes,omitempty"` + Excludes *Filter `json:"excludes,omitempty"` } // KernelVersion holds information about the kernel. diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go index b675386126..222fec6936 100644 --- a/profiles/seccomp/seccomp_linux.go +++ b/profiles/seccomp/seccomp_linux.go @@ -111,42 +111,46 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) Loop: // Loop through all syscall blocks and convert them to libcontainer format after filtering them for _, call := range config.Syscalls { - if len(call.Excludes.Arches) > 0 { - if inSlice(call.Excludes.Arches, arch) { - continue Loop + if call.Excludes != nil { + if len(call.Excludes.Arches) > 0 { + if inSlice(call.Excludes.Arches, arch) { + continue Loop + } } - } - if len(call.Excludes.Caps) > 0 { - for _, c := range call.Excludes.Caps { - if inSlice(rs.Process.Capabilities.Bounding, c) { + if len(call.Excludes.Caps) > 0 { + for _, c := range call.Excludes.Caps { + if inSlice(rs.Process.Capabilities.Bounding, c) { + continue Loop + } + } + } + if call.Excludes.MinKernel != nil { + if ok, err := kernelGreaterEqualThan(*call.Excludes.MinKernel); err != nil { + return nil, err + } else if ok { continue Loop } } } - if call.Excludes.MinKernel != nil { - if ok, err := kernelGreaterEqualThan(*call.Excludes.MinKernel); err != nil { - return nil, err - } else if ok { - continue Loop - } - } - if len(call.Includes.Arches) > 0 { - if !inSlice(call.Includes.Arches, arch) { - continue Loop - } - } - if len(call.Includes.Caps) > 0 { - for _, c := range call.Includes.Caps { - if !inSlice(rs.Process.Capabilities.Bounding, c) { + if call.Includes != nil { + if len(call.Includes.Arches) > 0 { + if !inSlice(call.Includes.Arches, arch) { continue Loop } } - } - if call.Includes.MinKernel != nil { - if ok, err := kernelGreaterEqualThan(*call.Includes.MinKernel); err != nil { - return nil, err - } else if !ok { - continue Loop + if len(call.Includes.Caps) > 0 { + for _, c := range call.Includes.Caps { + if !inSlice(rs.Process.Capabilities.Bounding, c) { + continue Loop + } + } + } + if call.Includes.MinKernel != nil { + if ok, err := kernelGreaterEqualThan(*call.Includes.MinKernel); err != nil { + return nil, err + } else if !ok { + continue Loop + } } }