diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/default_linux.go similarity index 99% rename from profiles/seccomp/seccomp_default.go rename to profiles/seccomp/default_linux.go index 5f4efe02c4..e3162f17bf 100644 --- a/profiles/seccomp/seccomp_default.go +++ b/profiles/seccomp/default_linux.go @@ -1,4 +1,4 @@ -// +build linux,seccomp +// +build seccomp package seccomp // import "github.com/docker/docker/profiles/seccomp" diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp_linux.go similarity index 81% rename from profiles/seccomp/seccomp.go rename to profiles/seccomp/seccomp_linux.go index 12721a120c..7847085a0a 100644 --- a/profiles/seccomp/seccomp.go +++ b/profiles/seccomp/seccomp_linux.go @@ -1,4 +1,4 @@ -// +build linux +//go:generate go run -tags 'seccomp' generate.go package seccomp // import "github.com/docker/docker/profiles/seccomp" @@ -6,15 +6,13 @@ import ( "encoding/json" "errors" "fmt" + "runtime" "github.com/docker/docker/api/types" "github.com/docker/docker/pkg/parsers/kernel" specs "github.com/opencontainers/runtime-spec/specs-go" - libseccomp "github.com/seccomp/libseccomp-golang" ) -//go:generate go run -tags 'seccomp' generate.go - // GetDefaultProfile returns the default seccomp profile. func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) { return setupSeccomp(DefaultProfile(), rs) @@ -29,16 +27,42 @@ func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) { return setupSeccomp(&config, rs) } +// libseccomp string => seccomp arch var nativeToSeccomp = map[string]types.Arch{ + "x86": types.ArchX86, "amd64": types.ArchX86_64, + "arm": types.ArchARM, "arm64": types.ArchAARCH64, "mips64": types.ArchMIPS64, "mips64n32": types.ArchMIPS64N32, "mipsel64": types.ArchMIPSEL64, - "mipsel64n32": types.ArchMIPSEL64N32, + "mips3l64n32": types.ArchMIPSEL64N32, + "mipsle": types.ArchMIPSEL, + "ppc": types.ArchPPC, + "ppc64": types.ArchPPC64, + "ppc64le": types.ArchPPC64LE, + "s390": types.ArchS390, "s390x": types.ArchS390X, } +// GOARCH => libseccomp string +var goToNative = map[string]string{ + "386": "x86", + "amd64": "amd64", + "arm": "arm", + "arm64": "arm64", + "mips64": "mips64", + "mips64p32": "mips64n32", + "mips64le": "mipsel64", + "mips64p32le": "mips3l64n32", + "mipsle": "mipsel", + "ppc": "ppc", + "ppc64": "ppc64", + "ppc64le": "ppc64le", + "s390": "s390", + "s390x": "s390x", +} + // inSlice tests whether a string is contained in a slice of strings or not. // Comparison is case sensitive func inSlice(slice []string, s string) bool { @@ -62,12 +86,6 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e newConfig := &specs.LinuxSeccomp{} - var arch string - var native, err = libseccomp.GetNativeArch() - if err == nil { - arch = native.String() - } - if len(config.Architectures) != 0 && len(config.ArchMap) != 0 { return nil, errors.New("'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'") } @@ -79,17 +97,17 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e } } - if len(config.ArchMap) != 0 { + arch := goToNative[runtime.GOARCH] + seccompArch, archExists := nativeToSeccomp[arch] + + if len(config.ArchMap) != 0 && archExists { for _, a := range config.ArchMap { - seccompArch, ok := nativeToSeccomp[arch] - if ok { - if a.Arch == seccompArch { - newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch)) - for _, sa := range a.SubArches { - newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa)) - } - break + if a.Arch == seccompArch { + newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch)) + for _, sa := range a.SubArches { + newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa)) } + break } } }