From 0efee50b95f1fc92d4e29fb4eeb9869a5fc0b280 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 18 Sep 2020 18:14:16 +0200 Subject: [PATCH 1/2] seccomp: move seccomp types from api into seccomp profile These types were not used in the API, so could not come up with a reason why they were in that package. Signed-off-by: Sebastiaan van Stijn --- profiles/seccomp/default_linux.go | 199 ++++++++++----------- {api/types => profiles/seccomp}/seccomp.go | 2 +- profiles/seccomp/seccomp_linux.go | 37 ++-- profiles/seccomp/seccomp_unsupported.go | 6 +- 4 files changed, 119 insertions(+), 125 deletions(-) rename {api/types => profiles/seccomp}/seccomp.go (97%) diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index e3162f17bf..7c74ce7c32 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -3,46 +3,45 @@ package seccomp // import "github.com/docker/docker/profiles/seccomp" import ( - "github.com/docker/docker/api/types" "golang.org/x/sys/unix" ) -func arches() []types.Architecture { - return []types.Architecture{ +func arches() []Architecture { + return []Architecture{ { - Arch: types.ArchX86_64, - SubArches: []types.Arch{types.ArchX86, types.ArchX32}, + Arch: ArchX86_64, + SubArches: []Arch{ArchX86, ArchX32}, }, { - Arch: types.ArchAARCH64, - SubArches: []types.Arch{types.ArchARM}, + Arch: ArchAARCH64, + SubArches: []Arch{ArchARM}, }, { - Arch: types.ArchMIPS64, - SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32}, + Arch: ArchMIPS64, + SubArches: []Arch{ArchMIPS, ArchMIPS64N32}, }, { - Arch: types.ArchMIPS64N32, - SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64}, + Arch: ArchMIPS64N32, + SubArches: []Arch{ArchMIPS, ArchMIPS64}, }, { - Arch: types.ArchMIPSEL64, - SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32}, + Arch: ArchMIPSEL64, + SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64N32}, }, { - Arch: types.ArchMIPSEL64N32, - SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64}, + Arch: ArchMIPSEL64N32, + SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64}, }, { - Arch: types.ArchS390X, - SubArches: []types.Arch{types.ArchS390}, + Arch: ArchS390X, + SubArches: []Arch{ArchS390}, }, } } // DefaultProfile defines the allowed syscalls for the default seccomp profile. -func DefaultProfile() *types.Seccomp { - syscalls := []*types.Syscall{ +func DefaultProfile() *Seccomp { + syscalls := []*Syscall{ { Names: []string{ "accept", @@ -382,68 +381,68 @@ func DefaultProfile() *types.Seccomp { "write", "writev", }, - Action: types.ActAllow, - Args: []*types.Arg{}, + Action: ActAllow, + Args: []*Arg{}, }, { Names: []string{"ptrace"}, - Action: types.ActAllow, - Includes: types.Filter{ + Action: ActAllow, + Includes: Filter{ MinKernel: "4.8", }, }, { Names: []string{"personality"}, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 0, Value: 0x0, - Op: types.OpEqualTo, + Op: OpEqualTo, }, }, }, { Names: []string{"personality"}, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 0, Value: 0x0008, - Op: types.OpEqualTo, + Op: OpEqualTo, }, }, }, { Names: []string{"personality"}, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 0, Value: 0x20000, - Op: types.OpEqualTo, + Op: OpEqualTo, }, }, }, { Names: []string{"personality"}, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 0, Value: 0x20008, - Op: types.OpEqualTo, + Op: OpEqualTo, }, }, }, { Names: []string{"personality"}, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 0, Value: 0xffffffff, - Op: types.OpEqualTo, + Op: OpEqualTo, }, }, }, @@ -451,9 +450,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "sync_file_range2", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Arches: []string{"ppc64le"}, }, }, @@ -466,9 +465,9 @@ func DefaultProfile() *types.Seccomp { "cacheflush", "set_tls", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Arches: []string{"arm", "arm64"}, }, }, @@ -476,9 +475,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "arch_prctl", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Arches: []string{"amd64", "x32"}, }, }, @@ -486,9 +485,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "modify_ldt", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Arches: []string{"amd64", "x32", "x86"}, }, }, @@ -498,9 +497,9 @@ func DefaultProfile() *types.Seccomp { "s390_pci_mmio_write", "s390_runtime_instr", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Arches: []string{"s390", "s390x"}, }, }, @@ -508,9 +507,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "open_by_handle_at", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_DAC_READ_SEARCH"}, }, }, @@ -532,9 +531,9 @@ func DefaultProfile() *types.Seccomp { "umount2", "unshare", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_ADMIN"}, }, }, @@ -542,16 +541,16 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "clone", }, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 0, Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, ValueTwo: 0, - Op: types.OpMaskedEqual, + Op: OpMaskedEqual, }, }, - Excludes: types.Filter{ + Excludes: Filter{ Caps: []string{"CAP_SYS_ADMIN"}, Arches: []string{"s390", "s390x"}, }, @@ -560,20 +559,20 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "clone", }, - Action: types.ActAllow, - Args: []*types.Arg{ + Action: ActAllow, + Args: []*Arg{ { Index: 1, Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, ValueTwo: 0, - Op: types.OpMaskedEqual, + Op: OpMaskedEqual, }, }, Comment: "s390 parameter ordering for clone is different", - Includes: types.Filter{ + Includes: Filter{ Arches: []string{"s390", "s390x"}, }, - Excludes: types.Filter{ + Excludes: Filter{ Caps: []string{"CAP_SYS_ADMIN"}, }, }, @@ -581,9 +580,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "reboot", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_BOOT"}, }, }, @@ -591,9 +590,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "chroot", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_CHROOT"}, }, }, @@ -603,9 +602,9 @@ func DefaultProfile() *types.Seccomp { "init_module", "finit_module", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_MODULE"}, }, }, @@ -613,9 +612,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "acct", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_PACCT"}, }, }, @@ -626,9 +625,9 @@ func DefaultProfile() *types.Seccomp { "process_vm_writev", "ptrace", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_PTRACE"}, }, }, @@ -637,9 +636,9 @@ func DefaultProfile() *types.Seccomp { "iopl", "ioperm", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_RAWIO"}, }, }, @@ -649,9 +648,9 @@ func DefaultProfile() *types.Seccomp { "stime", "clock_settime", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_TIME"}, }, }, @@ -659,9 +658,9 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "vhangup", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_TTY_CONFIG"}, }, }, @@ -671,9 +670,9 @@ func DefaultProfile() *types.Seccomp { "mbind", "set_mempolicy", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYS_NICE"}, }, }, @@ -681,16 +680,16 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "syslog", }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ Caps: []string{"CAP_SYSLOG"}, }, }, } - return &types.Seccomp{ - DefaultAction: types.ActErrno, + return &Seccomp{ + DefaultAction: ActErrno, ArchMap: arches(), Syscalls: syscalls, } diff --git a/api/types/seccomp.go b/profiles/seccomp/seccomp.go similarity index 97% rename from api/types/seccomp.go rename to profiles/seccomp/seccomp.go index 2259c6be1e..6be4c76056 100644 --- a/api/types/seccomp.go +++ b/profiles/seccomp/seccomp.go @@ -1,4 +1,4 @@ -package types // import "github.com/docker/docker/api/types" +package seccomp // import "github.com/docker/docker/profiles/seccomp" // Seccomp represents the config for a seccomp profile for syscall restriction. type Seccomp struct { diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go index 7847085a0a..29b2ea0934 100644 --- a/profiles/seccomp/seccomp_linux.go +++ b/profiles/seccomp/seccomp_linux.go @@ -8,7 +8,6 @@ import ( "fmt" "runtime" - "github.com/docker/docker/api/types" "github.com/docker/docker/pkg/parsers/kernel" specs "github.com/opencontainers/runtime-spec/specs-go" ) @@ -20,7 +19,7 @@ func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) { // LoadProfile takes a json string and decodes the seccomp profile. func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) { - var config types.Seccomp + var config Seccomp if err := json.Unmarshal([]byte(body), &config); err != nil { return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err) } @@ -28,21 +27,21 @@ func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) { } // libseccomp string => seccomp arch -var nativeToSeccomp = map[string]types.Arch{ - "x86": types.ArchX86, - "amd64": types.ArchX86_64, - "arm": types.ArchARM, - "arm64": types.ArchAARCH64, - "mips64": types.ArchMIPS64, - "mips64n32": types.ArchMIPS64N32, - "mipsel64": types.ArchMIPSEL64, - "mips3l64n32": types.ArchMIPSEL64N32, - "mipsle": types.ArchMIPSEL, - "ppc": types.ArchPPC, - "ppc64": types.ArchPPC64, - "ppc64le": types.ArchPPC64LE, - "s390": types.ArchS390, - "s390x": types.ArchS390X, +var nativeToSeccomp = map[string]Arch{ + "x86": ArchX86, + "amd64": ArchX86_64, + "arm": ArchARM, + "arm64": ArchAARCH64, + "mips64": ArchMIPS64, + "mips64n32": ArchMIPS64N32, + "mipsel64": ArchMIPSEL64, + "mips3l64n32": ArchMIPSEL64N32, + "mipsle": ArchMIPSEL, + "ppc": ArchPPC, + "ppc64": ArchPPC64, + "ppc64le": ArchPPC64LE, + "s390": ArchS390, + "s390x": ArchS390X, } // GOARCH => libseccomp string @@ -74,7 +73,7 @@ func inSlice(slice []string, s string) bool { return false } -func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) { +func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) { if config == nil { return nil, nil } @@ -170,7 +169,7 @@ Loop: return newConfig, nil } -func createSpecsSyscall(names []string, action types.Action, args []*types.Arg) specs.LinuxSyscall { +func createSpecsSyscall(names []string, action Action, args []*Arg) specs.LinuxSyscall { newCall := specs.LinuxSyscall{ Names: names, Action: specs.LinuxSeccompAction(action), diff --git a/profiles/seccomp/seccomp_unsupported.go b/profiles/seccomp/seccomp_unsupported.go index 67e06401f1..01f3eb96fd 100644 --- a/profiles/seccomp/seccomp_unsupported.go +++ b/profiles/seccomp/seccomp_unsupported.go @@ -2,11 +2,7 @@ package seccomp // import "github.com/docker/docker/profiles/seccomp" -import ( - "github.com/docker/docker/api/types" -) - // DefaultProfile returns a nil pointer on unsupported systems. -func DefaultProfile() *types.Seccomp { +func DefaultProfile() *Seccomp { return nil } From 0d75b63987e8becb04da717a11742bdd9a0db879 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 18 Sep 2020 18:49:38 +0200 Subject: [PATCH 2/2] seccomp: replace types with runtime-spec types Signed-off-by: Sebastiaan van Stijn --- profiles/seccomp/default.json | 7 -- profiles/seccomp/default_linux.go | 147 +++++++++++++++--------------- profiles/seccomp/seccomp.go | 82 +++-------------- profiles/seccomp/seccomp_linux.go | 55 +++++------ 4 files changed, 109 insertions(+), 182 deletions(-) diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index ee1e91193a..edf8ee2d02 100644 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -416,7 +416,6 @@ { "index": 0, "value": 0, - "valueTwo": 0, "op": "SCMP_CMP_EQ" } ], @@ -433,7 +432,6 @@ { "index": 0, "value": 8, - "valueTwo": 0, "op": "SCMP_CMP_EQ" } ], @@ -450,7 +448,6 @@ { "index": 0, "value": 131072, - "valueTwo": 0, "op": "SCMP_CMP_EQ" } ], @@ -467,7 +464,6 @@ { "index": 0, "value": 131080, - "valueTwo": 0, "op": "SCMP_CMP_EQ" } ], @@ -484,7 +480,6 @@ { "index": 0, "value": 4294967295, - "valueTwo": 0, "op": "SCMP_CMP_EQ" } ], @@ -625,7 +620,6 @@ { "index": 0, "value": 2114060288, - "valueTwo": 0, "op": "SCMP_CMP_MASKED_EQ" } ], @@ -650,7 +644,6 @@ { "index": 1, "value": 2114060288, - "valueTwo": 0, "op": "SCMP_CMP_MASKED_EQ" } ], diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index 7c74ce7c32..3abdf22ec6 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -3,38 +3,39 @@ package seccomp // import "github.com/docker/docker/profiles/seccomp" import ( + "github.com/opencontainers/runtime-spec/specs-go" "golang.org/x/sys/unix" ) func arches() []Architecture { return []Architecture{ { - Arch: ArchX86_64, - SubArches: []Arch{ArchX86, ArchX32}, + Arch: specs.ArchX86_64, + SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32}, }, { - Arch: ArchAARCH64, - SubArches: []Arch{ArchARM}, + Arch: specs.ArchAARCH64, + SubArches: []specs.Arch{specs.ArchARM}, }, { - Arch: ArchMIPS64, - SubArches: []Arch{ArchMIPS, ArchMIPS64N32}, + Arch: specs.ArchMIPS64, + SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32}, }, { - Arch: ArchMIPS64N32, - SubArches: []Arch{ArchMIPS, ArchMIPS64}, + Arch: specs.ArchMIPS64N32, + SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64}, }, { - Arch: ArchMIPSEL64, - SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64N32}, + Arch: specs.ArchMIPSEL64, + SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32}, }, { - Arch: ArchMIPSEL64N32, - SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64}, + Arch: specs.ArchMIPSEL64N32, + SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64}, }, { - Arch: ArchS390X, - SubArches: []Arch{ArchS390}, + Arch: specs.ArchS390X, + SubArches: []specs.Arch{specs.ArchS390}, }, } } @@ -381,68 +382,68 @@ func DefaultProfile() *Seccomp { "write", "writev", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, }, { Names: []string{"ptrace"}, - Action: ActAllow, + Action: specs.ActAllow, Includes: Filter{ MinKernel: "4.8", }, }, { Names: []string{"personality"}, - Action: ActAllow, - Args: []*Arg{ + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{ { Index: 0, Value: 0x0, - Op: OpEqualTo, + Op: specs.OpEqualTo, }, }, }, { Names: []string{"personality"}, - Action: ActAllow, - Args: []*Arg{ + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{ { Index: 0, Value: 0x0008, - Op: OpEqualTo, + Op: specs.OpEqualTo, }, }, }, { Names: []string{"personality"}, - Action: ActAllow, - Args: []*Arg{ + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{ { Index: 0, Value: 0x20000, - Op: OpEqualTo, + Op: specs.OpEqualTo, }, }, }, { Names: []string{"personality"}, - Action: ActAllow, - Args: []*Arg{ + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{ { Index: 0, Value: 0x20008, - Op: OpEqualTo, + Op: specs.OpEqualTo, }, }, }, { Names: []string{"personality"}, - Action: ActAllow, - Args: []*Arg{ + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{ { Index: 0, Value: 0xffffffff, - Op: OpEqualTo, + Op: specs.OpEqualTo, }, }, }, @@ -450,8 +451,8 @@ func DefaultProfile() *Seccomp { Names: []string{ "sync_file_range2", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Arches: []string{"ppc64le"}, }, @@ -465,8 +466,8 @@ func DefaultProfile() *Seccomp { "cacheflush", "set_tls", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Arches: []string{"arm", "arm64"}, }, @@ -475,8 +476,8 @@ func DefaultProfile() *Seccomp { Names: []string{ "arch_prctl", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Arches: []string{"amd64", "x32"}, }, @@ -485,8 +486,8 @@ func DefaultProfile() *Seccomp { Names: []string{ "modify_ldt", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Arches: []string{"amd64", "x32", "x86"}, }, @@ -497,8 +498,8 @@ func DefaultProfile() *Seccomp { "s390_pci_mmio_write", "s390_runtime_instr", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Arches: []string{"s390", "s390x"}, }, @@ -507,8 +508,8 @@ func DefaultProfile() *Seccomp { Names: []string{ "open_by_handle_at", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_DAC_READ_SEARCH"}, }, @@ -531,8 +532,8 @@ func DefaultProfile() *Seccomp { "umount2", "unshare", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_ADMIN"}, }, @@ -541,13 +542,13 @@ func DefaultProfile() *Seccomp { Names: []string{ "clone", }, - Action: ActAllow, - Args: []*Arg{ + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{ { Index: 0, Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, ValueTwo: 0, - Op: OpMaskedEqual, + Op: specs.OpMaskedEqual, }, }, Excludes: Filter{ @@ -559,13 +560,13 @@ func DefaultProfile() *Seccomp { Names: []string{ "clone", }, - Action: ActAllow, - Args: []*Arg{ + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{ { Index: 1, Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, ValueTwo: 0, - Op: OpMaskedEqual, + Op: specs.OpMaskedEqual, }, }, Comment: "s390 parameter ordering for clone is different", @@ -580,8 +581,8 @@ func DefaultProfile() *Seccomp { Names: []string{ "reboot", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_BOOT"}, }, @@ -590,8 +591,8 @@ func DefaultProfile() *Seccomp { Names: []string{ "chroot", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_CHROOT"}, }, @@ -602,8 +603,8 @@ func DefaultProfile() *Seccomp { "init_module", "finit_module", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_MODULE"}, }, @@ -612,8 +613,8 @@ func DefaultProfile() *Seccomp { Names: []string{ "acct", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_PACCT"}, }, @@ -625,8 +626,8 @@ func DefaultProfile() *Seccomp { "process_vm_writev", "ptrace", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_PTRACE"}, }, @@ -636,8 +637,8 @@ func DefaultProfile() *Seccomp { "iopl", "ioperm", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_RAWIO"}, }, @@ -648,8 +649,8 @@ func DefaultProfile() *Seccomp { "stime", "clock_settime", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_TIME"}, }, @@ -658,8 +659,8 @@ func DefaultProfile() *Seccomp { Names: []string{ "vhangup", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_TTY_CONFIG"}, }, @@ -670,8 +671,8 @@ func DefaultProfile() *Seccomp { "mbind", "set_mempolicy", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_NICE"}, }, @@ -680,8 +681,8 @@ func DefaultProfile() *Seccomp { Names: []string{ "syslog", }, - Action: ActAllow, - Args: []*Arg{}, + Action: specs.ActAllow, + Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYSLOG"}, }, @@ -689,7 +690,7 @@ func DefaultProfile() *Seccomp { } return &Seccomp{ - DefaultAction: ActErrno, + DefaultAction: specs.ActErrno, ArchMap: arches(), Syscalls: syscalls, } diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go index 6be4c76056..441c37f648 100644 --- a/profiles/seccomp/seccomp.go +++ b/profiles/seccomp/seccomp.go @@ -1,11 +1,13 @@ package seccomp // import "github.com/docker/docker/profiles/seccomp" +import "github.com/opencontainers/runtime-spec/specs-go" + // Seccomp represents the config for a seccomp profile for syscall restriction. type Seccomp struct { - DefaultAction Action `json:"defaultAction"` + DefaultAction specs.LinuxSeccompAction `json:"defaultAction"` // Architectures is kept to maintain backward compatibility with the old // seccomp profile. - Architectures []Arch `json:"architectures,omitempty"` + Architectures []specs.Arch `json:"architectures,omitempty"` ArchMap []Architecture `json:"archMap,omitempty"` Syscalls []*Syscall `json:"syscalls"` } @@ -13,66 +15,8 @@ type Seccomp struct { // Architecture is used to represent a specific architecture // and its sub-architectures type Architecture struct { - Arch Arch `json:"architecture"` - SubArches []Arch `json:"subArchitectures"` -} - -// Arch used for architectures -type Arch string - -// Additional architectures permitted to be used for system calls -// By default only the native architecture of the kernel is permitted -const ( - ArchX86 Arch = "SCMP_ARCH_X86" - ArchX86_64 Arch = "SCMP_ARCH_X86_64" - ArchX32 Arch = "SCMP_ARCH_X32" - ArchARM Arch = "SCMP_ARCH_ARM" - ArchAARCH64 Arch = "SCMP_ARCH_AARCH64" - ArchMIPS Arch = "SCMP_ARCH_MIPS" - ArchMIPS64 Arch = "SCMP_ARCH_MIPS64" - ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32" - ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL" - ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64" - ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32" - ArchPPC Arch = "SCMP_ARCH_PPC" - ArchPPC64 Arch = "SCMP_ARCH_PPC64" - ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE" - ArchS390 Arch = "SCMP_ARCH_S390" - ArchS390X Arch = "SCMP_ARCH_S390X" -) - -// Action taken upon Seccomp rule match -type Action string - -// Define actions for Seccomp rules -const ( - ActKill Action = "SCMP_ACT_KILL" - ActTrap Action = "SCMP_ACT_TRAP" - ActErrno Action = "SCMP_ACT_ERRNO" - ActTrace Action = "SCMP_ACT_TRACE" - ActAllow Action = "SCMP_ACT_ALLOW" -) - -// Operator used to match syscall arguments in Seccomp -type Operator string - -// Define operators for syscall arguments in Seccomp -const ( - OpNotEqual Operator = "SCMP_CMP_NE" - OpLessThan Operator = "SCMP_CMP_LT" - OpLessEqual Operator = "SCMP_CMP_LE" - OpEqualTo Operator = "SCMP_CMP_EQ" - OpGreaterEqual Operator = "SCMP_CMP_GE" - OpGreaterThan Operator = "SCMP_CMP_GT" - OpMaskedEqual Operator = "SCMP_CMP_MASKED_EQ" -) - -// Arg used for matching specific syscall arguments in Seccomp -type Arg struct { - Index uint `json:"index"` - Value uint64 `json:"value"` - ValueTwo uint64 `json:"valueTwo"` - Op Operator `json:"op"` + Arch specs.Arch `json:"architecture"` + SubArches []specs.Arch `json:"subArchitectures"` } // Filter is used to conditionally apply Seccomp rules @@ -84,11 +28,11 @@ type Filter struct { // Syscall is used to match a group of syscalls in Seccomp type Syscall struct { - Name string `json:"name,omitempty"` - Names []string `json:"names,omitempty"` - Action Action `json:"action"` - Args []*Arg `json:"args"` - Comment string `json:"comment"` - Includes Filter `json:"includes"` - Excludes Filter `json:"excludes"` + Name string `json:"name,omitempty"` + Names []string `json:"names,omitempty"` + Action specs.LinuxSeccompAction `json:"action"` + Args []*specs.LinuxSeccompArg `json:"args"` + Comment string `json:"comment"` + Includes Filter `json:"includes"` + Excludes Filter `json:"excludes"` } diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go index 29b2ea0934..c2221115d1 100644 --- a/profiles/seccomp/seccomp_linux.go +++ b/profiles/seccomp/seccomp_linux.go @@ -27,21 +27,21 @@ func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) { } // libseccomp string => seccomp arch -var nativeToSeccomp = map[string]Arch{ - "x86": ArchX86, - "amd64": ArchX86_64, - "arm": ArchARM, - "arm64": ArchAARCH64, - "mips64": ArchMIPS64, - "mips64n32": ArchMIPS64N32, - "mipsel64": ArchMIPSEL64, - "mips3l64n32": ArchMIPSEL64N32, - "mipsle": ArchMIPSEL, - "ppc": ArchPPC, - "ppc64": ArchPPC64, - "ppc64le": ArchPPC64LE, - "s390": ArchS390, - "s390x": ArchS390X, +var nativeToSeccomp = map[string]specs.Arch{ + "x86": specs.ArchX86, + "amd64": specs.ArchX86_64, + "arm": specs.ArchARM, + "arm64": specs.ArchAARCH64, + "mips64": specs.ArchMIPS64, + "mips64n32": specs.ArchMIPS64N32, + "mipsel64": specs.ArchMIPSEL64, + "mips3l64n32": specs.ArchMIPSEL64N32, + "mipsle": specs.ArchMIPSEL, + "ppc": specs.ArchPPC, + "ppc64": specs.ArchPPC64, + "ppc64le": specs.ArchPPC64LE, + "s390": specs.ArchS390, + "s390x": specs.ArchS390X, } // GOARCH => libseccomp string @@ -91,9 +91,7 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) // if config.Architectures == 0 then libseccomp will figure out the architecture to use if len(config.Architectures) != 0 { - for _, a := range config.Architectures { - newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a)) - } + newConfig.Architectures = config.Architectures } arch := goToNative[runtime.GOARCH] @@ -102,16 +100,14 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) if len(config.ArchMap) != 0 && archExists { for _, a := range config.ArchMap { if a.Arch == seccompArch { - newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch)) - for _, sa := range a.SubArches { - newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa)) - } + newConfig.Architectures = append(newConfig.Architectures, a.Arch) + newConfig.Architectures = append(newConfig.Architectures, a.SubArches...) break } } } - newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction) + newConfig.DefaultAction = config.DefaultAction Loop: // Loop through all syscall blocks and convert them to libcontainer format after filtering them @@ -169,22 +165,15 @@ Loop: return newConfig, nil } -func createSpecsSyscall(names []string, action Action, args []*Arg) specs.LinuxSyscall { +func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall { newCall := specs.LinuxSyscall{ Names: names, - Action: specs.LinuxSeccompAction(action), + Action: action, } // Loop through all the arguments of the syscall and convert them for _, arg := range args { - newArg := specs.LinuxSeccompArg{ - Index: arg.Index, - Value: arg.Value, - ValueTwo: arg.ValueTwo, - Op: specs.LinuxSeccompOperator(arg.Op), - } - - newCall.Args = append(newCall.Args, newArg) + newCall.Args = append(newCall.Args, *arg) } return newCall }