Преглед на файлове

Remove dependency in dockerd on libseccomp

This was just using libseccomp to get the right arch, but we can use
GOARCH to get this.
The nativeToSeccomp map needed to be adjusted a bit for mipsle vs mipsel
since that's go how refers to it. Also added some other arches to it.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Brian Goff преди 4 години
родител
ревизия
ccbb00c815
променени са 2 файла, в които са добавени 39 реда и са изтрити 21 реда
  1. 1 1
      profiles/seccomp/default_linux.go
  2. 38 20
      profiles/seccomp/seccomp_linux.go

+ 1 - 1
profiles/seccomp/seccomp_default.go → profiles/seccomp/default_linux.go

@@ -1,4 +1,4 @@
-// +build linux,seccomp
+// +build seccomp
 
 package seccomp // import "github.com/docker/docker/profiles/seccomp"
 

+ 38 - 20
profiles/seccomp/seccomp.go → profiles/seccomp/seccomp_linux.go

@@ -1,4 +1,4 @@
-// +build linux
+//go:generate go run -tags 'seccomp' generate.go
 
 package seccomp // import "github.com/docker/docker/profiles/seccomp"
 
@@ -6,15 +6,13 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"runtime"
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/pkg/parsers/kernel"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
-	libseccomp "github.com/seccomp/libseccomp-golang"
 )
 
-//go:generate go run -tags 'seccomp' generate.go
-
 // GetDefaultProfile returns the default seccomp profile.
 func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
 	return setupSeccomp(DefaultProfile(), rs)
@@ -29,16 +27,42 @@ func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
 	return setupSeccomp(&config, rs)
 }
 
+// libseccomp string => seccomp arch
 var nativeToSeccomp = map[string]types.Arch{
+	"x86":         types.ArchX86,
 	"amd64":       types.ArchX86_64,
+	"arm":         types.ArchARM,
 	"arm64":       types.ArchAARCH64,
 	"mips64":      types.ArchMIPS64,
 	"mips64n32":   types.ArchMIPS64N32,
 	"mipsel64":    types.ArchMIPSEL64,
-	"mipsel64n32": types.ArchMIPSEL64N32,
+	"mips3l64n32": types.ArchMIPSEL64N32,
+	"mipsle":      types.ArchMIPSEL,
+	"ppc":         types.ArchPPC,
+	"ppc64":       types.ArchPPC64,
+	"ppc64le":     types.ArchPPC64LE,
+	"s390":        types.ArchS390,
 	"s390x":       types.ArchS390X,
 }
 
+// GOARCH => libseccomp string
+var goToNative = map[string]string{
+	"386":         "x86",
+	"amd64":       "amd64",
+	"arm":         "arm",
+	"arm64":       "arm64",
+	"mips64":      "mips64",
+	"mips64p32":   "mips64n32",
+	"mips64le":    "mipsel64",
+	"mips64p32le": "mips3l64n32",
+	"mipsle":      "mipsel",
+	"ppc":         "ppc",
+	"ppc64":       "ppc64",
+	"ppc64le":     "ppc64le",
+	"s390":        "s390",
+	"s390x":       "s390x",
+}
+
 // inSlice tests whether a string is contained in a slice of strings or not.
 // Comparison is case sensitive
 func inSlice(slice []string, s string) bool {
@@ -62,12 +86,6 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e
 
 	newConfig := &specs.LinuxSeccomp{}
 
-	var arch string
-	var native, err = libseccomp.GetNativeArch()
-	if err == nil {
-		arch = native.String()
-	}
-
 	if len(config.Architectures) != 0 && len(config.ArchMap) != 0 {
 		return nil, errors.New("'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'")
 	}
@@ -79,17 +97,17 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e
 		}
 	}
 
-	if len(config.ArchMap) != 0 {
+	arch := goToNative[runtime.GOARCH]
+	seccompArch, archExists := nativeToSeccomp[arch]
+
+	if len(config.ArchMap) != 0 && archExists {
 		for _, a := range config.ArchMap {
-			seccompArch, ok := nativeToSeccomp[arch]
-			if ok {
-				if a.Arch == seccompArch {
-					newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch))
-					for _, sa := range a.SubArches {
-						newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa))
-					}
-					break
+			if a.Arch == seccompArch {
+				newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch))
+				for _, sa := range a.SubArches {
+					newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa))
 				}
+				break
 			}
 		}
 	}