1124543ca8
4.8+ kernels have fixed the ptrace security issues
so we can allow ptrace(2) on the default seccomp
profile if we do the kernel version check.
93e35efb8d
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
94 lines
3 KiB
Go
94 lines
3 KiB
Go
package types // import "github.com/docker/docker/api/types"
|
|
|
|
// Seccomp represents the config for a seccomp profile for syscall restriction.
|
|
type Seccomp struct {
|
|
DefaultAction Action `json:"defaultAction"`
|
|
// Architectures is kept to maintain backward compatibility with the old
|
|
// seccomp profile.
|
|
Architectures []Arch `json:"architectures,omitempty"`
|
|
ArchMap []Architecture `json:"archMap,omitempty"`
|
|
Syscalls []*Syscall `json:"syscalls"`
|
|
}
|
|
|
|
// Architecture is used to represent a specific architecture
|
|
// and its sub-architectures
|
|
type Architecture struct {
|
|
Arch Arch `json:"architecture"`
|
|
SubArches []Arch `json:"subArchitectures"`
|
|
}
|
|
|
|
// Arch used for architectures
|
|
type Arch string
|
|
|
|
// Additional architectures permitted to be used for system calls
|
|
// By default only the native architecture of the kernel is permitted
|
|
const (
|
|
ArchX86 Arch = "SCMP_ARCH_X86"
|
|
ArchX86_64 Arch = "SCMP_ARCH_X86_64"
|
|
ArchX32 Arch = "SCMP_ARCH_X32"
|
|
ArchARM Arch = "SCMP_ARCH_ARM"
|
|
ArchAARCH64 Arch = "SCMP_ARCH_AARCH64"
|
|
ArchMIPS Arch = "SCMP_ARCH_MIPS"
|
|
ArchMIPS64 Arch = "SCMP_ARCH_MIPS64"
|
|
ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32"
|
|
ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL"
|
|
ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64"
|
|
ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
|
|
ArchPPC Arch = "SCMP_ARCH_PPC"
|
|
ArchPPC64 Arch = "SCMP_ARCH_PPC64"
|
|
ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE"
|
|
ArchS390 Arch = "SCMP_ARCH_S390"
|
|
ArchS390X Arch = "SCMP_ARCH_S390X"
|
|
)
|
|
|
|
// Action taken upon Seccomp rule match
|
|
type Action string
|
|
|
|
// Define actions for Seccomp rules
|
|
const (
|
|
ActKill Action = "SCMP_ACT_KILL"
|
|
ActTrap Action = "SCMP_ACT_TRAP"
|
|
ActErrno Action = "SCMP_ACT_ERRNO"
|
|
ActTrace Action = "SCMP_ACT_TRACE"
|
|
ActAllow Action = "SCMP_ACT_ALLOW"
|
|
)
|
|
|
|
// Operator used to match syscall arguments in Seccomp
|
|
type Operator string
|
|
|
|
// Define operators for syscall arguments in Seccomp
|
|
const (
|
|
OpNotEqual Operator = "SCMP_CMP_NE"
|
|
OpLessThan Operator = "SCMP_CMP_LT"
|
|
OpLessEqual Operator = "SCMP_CMP_LE"
|
|
OpEqualTo Operator = "SCMP_CMP_EQ"
|
|
OpGreaterEqual Operator = "SCMP_CMP_GE"
|
|
OpGreaterThan Operator = "SCMP_CMP_GT"
|
|
OpMaskedEqual Operator = "SCMP_CMP_MASKED_EQ"
|
|
)
|
|
|
|
// Arg used for matching specific syscall arguments in Seccomp
|
|
type Arg struct {
|
|
Index uint `json:"index"`
|
|
Value uint64 `json:"value"`
|
|
ValueTwo uint64 `json:"valueTwo"`
|
|
Op Operator `json:"op"`
|
|
}
|
|
|
|
// Filter is used to conditionally apply Seccomp rules
|
|
type Filter struct {
|
|
Caps []string `json:"caps,omitempty"`
|
|
Arches []string `json:"arches,omitempty"`
|
|
MinKernel string `json:"minKernel,omitempty"`
|
|
}
|
|
|
|
// Syscall is used to match a group of syscalls in Seccomp
|
|
type Syscall struct {
|
|
Name string `json:"name,omitempty"`
|
|
Names []string `json:"names,omitempty"`
|
|
Action Action `json:"action"`
|
|
Args []*Arg `json:"args"`
|
|
Comment string `json:"comment"`
|
|
Includes Filter `json:"includes"`
|
|
Excludes Filter `json:"excludes"`
|
|
}
|