From 0efee50b95f1fc92d4e29fb4eeb9869a5fc0b280 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 18 Sep 2020 18:14:16 +0200 Subject: [PATCH] seccomp: move seccomp types from api into seccomp profile These types were not used in the API, so could not come up with a reason why they were in that package. Signed-off-by: Sebastiaan van Stijn --- profiles/seccomp/default_linux.go | 199 ++++++++++----------- {api/types => profiles/seccomp}/seccomp.go | 2 +- profiles/seccomp/seccomp_linux.go | 37 ++-- profiles/seccomp/seccomp_unsupported.go | 6 +- 4 files changed, 119 insertions(+), 125 deletions(-) rename {api/types => profiles/seccomp}/seccomp.go (97%) diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index e3162f17bf..7c74ce7c32 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -3,46 +3,45 @@ package seccomp // import "github.com/docker/docker/profiles/seccomp" import ( - "github.com/docker/docker/api/types" "golang.org/x/sys/unix" ) -func arches() []types.Architecture { - return []types.Architecture{ +func arches() []Architecture { + return []Architecture{ { - Arch: types.ArchX86_64, - SubArches: []types.Arch{types.ArchX86, types.ArchX32}, + Arch: ArchX86_64, + SubArches: []Arch{ArchX86, ArchX32}, }, { - Arch: types.ArchAARCH64, - SubArches: []types.Arch{types.ArchARM}, + Arch: ArchAARCH64, + SubArches: []Arch{ArchARM}, }, { - Arch: types.ArchMIPS64, - SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32}, + Arch: ArchMIPS64, + SubArches: []Arch{ArchMIPS, ArchMIPS64N32}, }, { - Arch: types.ArchMIPS64N32, - SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64}, + Arch: ArchMIPS64N32, + SubArches: []Arch{ArchMIPS, ArchMIPS64}, }, { - Arch: types.ArchMIPSEL64, - SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32}, + Arch: ArchMIPSEL64, + SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64N32}, }, { - Arch: types.ArchMIPSEL64N32, - SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64}, + Arch: ArchMIPSEL64N32, + SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64}, }, { - Arch: types.ArchS390X, - SubArches: []types.Arch{types.ArchS390}, + Arch: ArchS390X, + SubArches: []Arch{ArchS390}, }, } } // DefaultProfile defines the allowed syscalls for the default seccomp profile. -func DefaultProfile() *types.Seccomp { - syscalls := []*types.Syscall{ +func DefaultProfile() *Seccomp { + syscalls := []*Syscall{ { Names: []string{ "accept", @@ -382,68 +381,68 @@ func DefaultProfile() *types.Seccomp { "write", "writev", }, - Action: types.ActAllow, - Args: []*types.Arg{}, + Action: ActAllow, + Args: []*Arg{}, }, { Names: []string{"ptrace"}, - Action: types.ActAllow, - Includes: types.Filter{ + Action: ActAllow, + Includes: Filter{ MinKernel: "4.8", }, }, { Names: []string{"personality"}, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 0, Value: 0x0, - Op: types.OpEqualTo, + Op: OpEqualTo, }, }, }, { Names: []string{"personality"}, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 0, Value: 0x0008, - Op: types.OpEqualTo, + Op: OpEqualTo, }, }, }, { Names: []string{"personality"}, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 0, Value: 0x20000, - Op: types.OpEqualTo, + Op: OpEqualTo, }, }, }, { Names: []string{"personality"}, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 0, Value: 0x20008, - Op: types.OpEqualTo, + Op: OpEqualTo, }, }, }, { Names: []string{"personality"}, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 0, Value: 0xffffffff, - Op: types.OpEqualTo, + Op: OpEqualTo, }, }, }, @@ -451,9 +450,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "sync_file_range2", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Arches: []string{"ppc64le"}, }, }, @@ -466,9 +465,9 @@ func DefaultProfile() *types.Seccomp { "cacheflush", "set_tls", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Arches: []string{"arm", "arm64"}, }, }, @@ -476,9 +475,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "arch_prctl", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Arches: []string{"amd64", "x32"}, }, }, @@ -486,9 +485,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "modify_ldt", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Arches: []string{"amd64", "x32", "x86"}, }, }, @@ -498,9 +497,9 @@ func DefaultProfile() *types.Seccomp { "s390_pci_mmio_write", "s390_runtime_instr", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Arches: []string{"s390", "s390x"}, }, }, @@ -508,9 +507,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "open_by_handle_at", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_DAC_READ_SEARCH"}, }, }, @@ -532,9 +531,9 @@ func DefaultProfile() *types.Seccomp { "umount2", "unshare", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_ADMIN"}, }, }, @@ -542,16 +541,16 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "clone", }, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 0, Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, ValueTwo: 0, - Op: types.OpMaskedEqual, + Op: OpMaskedEqual, }, }, - Excludes: types.Filter{ + Excludes: Filter{ Caps: []string{"CAP_SYS_ADMIN"}, Arches: []string{"s390", "s390x"}, }, @@ -560,20 +559,20 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "clone", }, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 1, Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, ValueTwo: 0, - Op: types.OpMaskedEqual, + Op: OpMaskedEqual, }, }, Comment: "s390 parameter ordering for clone is different", - Includes: types.Filter{ + Includes: Filter{ Arches: []string{"s390", "s390x"}, }, - Excludes: types.Filter{ + Excludes: Filter{ Caps: []string{"CAP_SYS_ADMIN"}, }, }, @@ -581,9 +580,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "reboot", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_BOOT"}, }, }, @@ -591,9 +590,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "chroot", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_CHROOT"}, }, }, @@ -603,9 +602,9 @@ func DefaultProfile() *types.Seccomp { "init_module", "finit_module", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_MODULE"}, }, }, @@ -613,9 +612,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "acct", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_PACCT"}, }, }, @@ -626,9 +625,9 @@ func DefaultProfile() *types.Seccomp { "process_vm_writev", "ptrace", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_PTRACE"}, }, }, @@ -637,9 +636,9 @@ func DefaultProfile() *types.Seccomp { "iopl", "ioperm", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_RAWIO"}, }, }, @@ -649,9 +648,9 @@ func DefaultProfile() *types.Seccomp { "stime", "clock_settime", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_TIME"}, }, }, @@ -659,9 +658,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "vhangup", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_TTY_CONFIG"}, }, }, @@ -671,9 +670,9 @@ func DefaultProfile() *types.Seccomp { "mbind", "set_mempolicy", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_NICE"}, }, }, @@ -681,16 +680,16 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "syslog", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYSLOG"}, }, }, } - return &types.Seccomp{ - DefaultAction: types.ActErrno, + return &Seccomp{ + DefaultAction: ActErrno, ArchMap: arches(), Syscalls: syscalls, } diff --git a/api/types/seccomp.go b/profiles/seccomp/seccomp.go similarity index 97% rename from api/types/seccomp.go rename to profiles/seccomp/seccomp.go index 2259c6be1e..6be4c76056 100644 --- a/api/types/seccomp.go +++ b/profiles/seccomp/seccomp.go @@ -1,4 +1,4 @@ -package types // import "github.com/docker/docker/api/types" +package seccomp // import "github.com/docker/docker/profiles/seccomp" // Seccomp represents the config for a seccomp profile for syscall restriction. type Seccomp struct { diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go index 7847085a0a..29b2ea0934 100644 --- a/profiles/seccomp/seccomp_linux.go +++ b/profiles/seccomp/seccomp_linux.go @@ -8,7 +8,6 @@ import ( "fmt" "runtime" - "github.com/docker/docker/api/types" "github.com/docker/docker/pkg/parsers/kernel" specs "github.com/opencontainers/runtime-spec/specs-go" ) @@ -20,7 +19,7 @@ func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) { // LoadProfile takes a json string and decodes the seccomp profile. func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) { - var config types.Seccomp + var config Seccomp if err := json.Unmarshal([]byte(body), &config); err != nil { return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err) } @@ -28,21 +27,21 @@ func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) { } // libseccomp string => seccomp arch -var nativeToSeccomp = map[string]types.Arch{ - "x86": types.ArchX86, - "amd64": types.ArchX86_64, - "arm": types.ArchARM, - "arm64": types.ArchAARCH64, - "mips64": types.ArchMIPS64, - "mips64n32": types.ArchMIPS64N32, - "mipsel64": types.ArchMIPSEL64, - "mips3l64n32": types.ArchMIPSEL64N32, - "mipsle": types.ArchMIPSEL, - "ppc": types.ArchPPC, - "ppc64": types.ArchPPC64, - "ppc64le": types.ArchPPC64LE, - "s390": types.ArchS390, - "s390x": types.ArchS390X, +var nativeToSeccomp = map[string]Arch{ + "x86": ArchX86, + "amd64": ArchX86_64, + "arm": ArchARM, + "arm64": ArchAARCH64, + "mips64": ArchMIPS64, + "mips64n32": ArchMIPS64N32, + "mipsel64": ArchMIPSEL64, + "mips3l64n32": ArchMIPSEL64N32, + "mipsle": ArchMIPSEL, + "ppc": ArchPPC, + "ppc64": ArchPPC64, + "ppc64le": ArchPPC64LE, + "s390": ArchS390, + "s390x": ArchS390X, } // GOARCH => libseccomp string @@ -74,7 +73,7 @@ func inSlice(slice []string, s string) bool { return false } -func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) { +func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) { if config == nil { return nil, nil } @@ -170,7 +169,7 @@ Loop: return newConfig, nil } -func createSpecsSyscall(names []string, action types.Action, args []*types.Arg) specs.LinuxSyscall { +func createSpecsSyscall(names []string, action Action, args []*Arg) specs.LinuxSyscall { newCall := specs.LinuxSyscall{ Names: names, Action: specs.LinuxSeccompAction(action), diff --git a/profiles/seccomp/seccomp_unsupported.go b/profiles/seccomp/seccomp_unsupported.go index 67e06401f1..01f3eb96fd 100644 --- a/profiles/seccomp/seccomp_unsupported.go +++ b/profiles/seccomp/seccomp_unsupported.go @@ -2,11 +2,7 @@ package seccomp // import "github.com/docker/docker/profiles/seccomp" -import ( - "github.com/docker/docker/api/types" -) - // DefaultProfile returns a nil pointer on unsupported systems. -func DefaultProfile() *types.Seccomp { +func DefaultProfile() *Seccomp { return nil }