profiles/seccomp.Syscall: use pointers and omitempty

These fields are optional, and this makes the JSON representation
slightly less verbose.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

profiles/seccomp/default.json

@@ -393,10 +393,7 @@
 				"write",
 				"writev"
 			],
-			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
-			"includes": {},
-			"excludes": {}
+			"action": "SCMP_ACT_ALLOW"
 		},
 		{
 			"names": [
@@ -405,11 +402,9 @@
 				"ptrace"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"minKernel": "4.8"
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -422,10 +417,7 @@
 					"value": 0,
 					"op": "SCMP_CMP_EQ"
 				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
+			]
 		},
 		{
 			"names": [
@@ -438,10 +430,7 @@
 					"value": 8,
 					"op": "SCMP_CMP_EQ"
 				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
+			]
 		},
 		{
 			"names": [
@@ -454,10 +443,7 @@
 					"value": 131072,
 					"op": "SCMP_CMP_EQ"
 				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
+			]
 		},
 		{
 			"names": [
@@ -470,10 +456,7 @@
 					"value": 131080,
 					"op": "SCMP_CMP_EQ"
 				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
+			]
 		},
 		{
 			"names": [
@@ -486,23 +469,18 @@
 					"value": 4294967295,
 					"op": "SCMP_CMP_EQ"
 				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
+			]
 		},
 		{
 			"names": [
 				"sync_file_range2"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"arches": [
 					"ppc64le"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -514,43 +492,37 @@
 				"set_tls"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"arches": [
 					"arm",
 					"arm64"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"arch_prctl"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"arches": [
 					"amd64",
 					"x32"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"modify_ldt"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"arches": [
 					"amd64",
 					"x32",
 					"x86"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -559,27 +531,23 @@
 				"s390_runtime_instr"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"arches": [
 					"s390",
 					"s390x"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"open_by_handle_at"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_DAC_READ_SEARCH"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -606,13 +574,11 @@
 				"unshare"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_ADMIN"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -626,8 +592,6 @@
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
 			],
-			"comment": "",
-			"includes": {},
 			"excludes": {
 				"caps": [
 					"CAP_SYS_ADMIN"
@@ -668,26 +632,22 @@
 				"reboot"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_BOOT"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"chroot"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_CHROOT"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -696,26 +656,22 @@
 				"finit_module"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_MODULE"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"acct"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_PACCT"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -727,13 +683,11 @@
 				"ptrace"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_PTRACE"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -741,13 +695,11 @@
 				"ioperm"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_RAWIO"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -756,26 +708,22 @@
 				"clock_settime"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_TIME"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"vhangup"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_TTY_CONFIG"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
@@ -784,26 +732,22 @@
 				"set_mempolicy"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_NICE"
 				]
-			},
-			"excludes": {}
+			}
 		},
 		{
 			"names": [
 				"syslog"
 			],
 			"action": "SCMP_ACT_ALLOW",
-			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYSLOG"
 				]
-			},
-			"excludes": {}
+			}
 		}
 	]
 }

profiles/seccomp/default_linux.go

@@ -399,7 +399,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				MinKernel: &KernelVersion{4, 8},
 			},
 		},
@@ -475,7 +475,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Arches: []string{"ppc64le"},
 			},
 		},
@@ -491,7 +491,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Arches: []string{"arm", "arm64"},
 			},
 		},
@@ -502,7 +502,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Arches: []string{"amd64", "x32"},
 			},
 		},
@@ -513,7 +513,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Arches: []string{"amd64", "x32", "x86"},
 			},
 		},
@@ -526,7 +526,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Arches: []string{"s390", "s390x"},
 			},
 		},
@@ -537,7 +537,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_DAC_READ_SEARCH"},
 			},
 		},
@@ -568,7 +568,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_ADMIN"},
 			},
 		},
@@ -587,7 +587,7 @@ func DefaultProfile() *Seccomp {
 					},
 				},
 			},
-			Excludes: Filter{
+			Excludes: &Filter{
 				Caps:   []string{"CAP_SYS_ADMIN"},
 				Arches: []string{"s390", "s390x"},
 			},
@@ -608,10 +608,10 @@ func DefaultProfile() *Seccomp {
 				},
 			},
 			Comment: "s390 parameter ordering for clone is different",
-			Includes: Filter{
+			Includes: &Filter{
 				Arches: []string{"s390", "s390x"},
 			},
-			Excludes: Filter{
+			Excludes: &Filter{
 				Caps: []string{"CAP_SYS_ADMIN"},
 			},
 		},
@@ -622,7 +622,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_BOOT"},
 			},
 		},
@@ -633,7 +633,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_CHROOT"},
 			},
 		},
@@ -646,7 +646,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_MODULE"},
 			},
 		},
@@ -657,7 +657,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_PACCT"},
 			},
 		},
@@ -673,7 +673,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_PTRACE"},
 			},
 		},
@@ -685,7 +685,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_RAWIO"},
 			},
 		},
@@ -698,7 +698,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_TIME"},
 			},
 		},
@@ -709,7 +709,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_TTY_CONFIG"},
 			},
 		},
@@ -722,7 +722,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYS_NICE"},
 			},
 		},
@@ -733,7 +733,7 @@ func DefaultProfile() *Seccomp {
 				},
 				Action: specs.ActAllow,
 			},
-			Includes: Filter{
+			Includes: &Filter{
 				Caps: []string{"CAP_SYSLOG"},
 			},
 		},

profiles/seccomp/seccomp.go

@@ -48,10 +48,10 @@ type Filter struct {
 type Syscall struct {
 	specs.LinuxSyscall
 	// Deprecated: kept for backward compatibility with old JSON profiles, use Names instead
-	Name     string `json:"name,omitempty"`
-	Comment  string `json:"comment"`
-	Includes Filter `json:"includes"`
-	Excludes Filter `json:"excludes"`
+	Name     string  `json:"name,omitempty"`
+	Comment  string  `json:"comment,omitempty"`
+	Includes *Filter `json:"includes,omitempty"`
+	Excludes *Filter `json:"excludes,omitempty"`
 }
 
 // KernelVersion holds information about the kernel.

profiles/seccomp/seccomp_linux.go

@@ -111,42 +111,46 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error)
 Loop:
 	// Loop through all syscall blocks and convert them to libcontainer format after filtering them
 	for _, call := range config.Syscalls {
-		if len(call.Excludes.Arches) > 0 {
-			if inSlice(call.Excludes.Arches, arch) {
-				continue Loop
-			}
-		}
-		if len(call.Excludes.Caps) > 0 {
-			for _, c := range call.Excludes.Caps {
-				if inSlice(rs.Process.Capabilities.Bounding, c) {
+		if call.Excludes != nil {
+			if len(call.Excludes.Arches) > 0 {
+				if inSlice(call.Excludes.Arches, arch) {
 					continue Loop
 				}
 			}
-		}
-		if call.Excludes.MinKernel != nil {
-			if ok, err := kernelGreaterEqualThan(*call.Excludes.MinKernel); err != nil {
-				return nil, err
-			} else if ok {
-				continue Loop
+			if len(call.Excludes.Caps) > 0 {
+				for _, c := range call.Excludes.Caps {
+					if inSlice(rs.Process.Capabilities.Bounding, c) {
+						continue Loop
+					}
+				}
 			}
-		}
-		if len(call.Includes.Arches) > 0 {
-			if !inSlice(call.Includes.Arches, arch) {
-				continue Loop
+			if call.Excludes.MinKernel != nil {
+				if ok, err := kernelGreaterEqualThan(*call.Excludes.MinKernel); err != nil {
+					return nil, err
+				} else if ok {
+					continue Loop
+				}
 			}
 		}
-		if len(call.Includes.Caps) > 0 {
-			for _, c := range call.Includes.Caps {
-				if !inSlice(rs.Process.Capabilities.Bounding, c) {
+		if call.Includes != nil {
+			if len(call.Includes.Arches) > 0 {
+				if !inSlice(call.Includes.Arches, arch) {
 					continue Loop
 				}
 			}
-		}
-		if call.Includes.MinKernel != nil {
-			if ok, err := kernelGreaterEqualThan(*call.Includes.MinKernel); err != nil {
-				return nil, err
-			} else if !ok {
-				continue Loop
+			if len(call.Includes.Caps) > 0 {
+				for _, c := range call.Includes.Caps {
+					if !inSlice(rs.Process.Capabilities.Bounding, c) {
+						continue Loop
+					}
+				}
+			}
+			if call.Includes.MinKernel != nil {
+				if ok, err := kernelGreaterEqualThan(*call.Includes.MinKernel); err != nil {
+					return nil, err
+				} else if !ok {
+					continue Loop
+				}
 			}
 		}