summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2018-01-17 11:03:07 -0500
committerAtomic Bot <atomic-devel@projectatomic.io>2018-01-18 12:26:43 +0000
commit0d69ca6637b30a3370529b3e272f27f6fafdb0c3 (patch)
treed6a69ad97b497eb5304c3a5b516a6056f4c85460
parent0befd8dafd116ea5f231f5b360b500be08c39297 (diff)
downloadpodman-0d69ca6637b30a3370529b3e272f27f6fafdb0c3.tar.gz
podman-0d69ca6637b30a3370529b3e272f27f6fafdb0c3.tar.bz2
podman-0d69ca6637b30a3370529b3e272f27f6fafdb0c3.zip
Fix seccomp support
If user does not specify seccomp file or seccomp file does not exist, then use the default seccomp settings. Still need to not hard code /etc/crio/seccomp.json, should move this to /usr/share/seccomp/seccomp.json Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #233 Approved by: baude
-rw-r--r--cmd/podman/create.go17
-rw-r--r--cmd/podman/run_test.go38
-rw-r--r--cmd/podman/spec.go40
-rw-r--r--libpod/runtime.go4
-rw-r--r--vendor/github.com/docker/docker/profiles/seccomp/generate.go32
-rw-r--r--vendor/github.com/docker/docker/profiles/seccomp/seccomp.go160
-rw-r--r--vendor/github.com/docker/docker/profiles/seccomp/seccomp_default.go639
-rw-r--r--vendor/github.com/docker/docker/profiles/seccomp/seccomp_unsupported.go12
8 files changed, 913 insertions, 29 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index 7ee364fab..262be129c 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -218,8 +218,6 @@ func createCmd(c *cli.Context) error {
return nil
}
-const seccompDefaultPath = "/etc/crio/seccomp.json"
-
func parseSecurityOpt(config *createConfig, securityOpts []string) error {
var (
labelOpts []string
@@ -269,12 +267,19 @@ func parseSecurityOpt(config *createConfig, securityOpts []string) error {
}
if config.SeccompProfilePath == "" {
- if _, err := os.Stat(seccompDefaultPath); err != nil {
+ if _, err := os.Stat(libpod.SeccompOverridePath); err == nil {
+ config.SeccompProfilePath = libpod.SeccompOverridePath
+ } else {
if !os.IsNotExist(err) {
- return errors.Wrapf(err, "can't check if %q exists", seccompDefaultPath)
+ return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompOverridePath)
+ }
+ if _, err := os.Stat(libpod.SeccompDefaultPath); err != nil {
+ if !os.IsNotExist(err) {
+ return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompDefaultPath)
+ }
+ } else {
+ config.SeccompProfilePath = libpod.SeccompDefaultPath
}
- } else {
- config.SeccompProfilePath = seccompDefaultPath
}
}
config.ProcessLabel, config.MountLabel, err = label.InitLabels(labelOpts)
diff --git a/cmd/podman/run_test.go b/cmd/podman/run_test.go
index f083b39af..b82df86db 100644
--- a/cmd/podman/run_test.go
+++ b/cmd/podman/run_test.go
@@ -66,11 +66,24 @@ func createCLI() cli.App {
return a
}
-func getRuntimeSpec(c *cli.Context) *spec.Spec {
- runtime, _ := getRuntime(c)
- createConfig, _ := parseCreateOpts(c, runtime, "alpine", generateAlpineImageData())
- runtimeSpec, _ := createConfigToOCISpec(createConfig)
- return runtimeSpec
+func getRuntimeSpec(c *cli.Context) (*spec.Spec, error) {
+ /*
+ TODO: This test has never worked. Need to install content
+ runtime, err := getRuntime(c)
+ if err != nil {
+ return nil, err
+ }
+ createConfig, err := parseCreateOpts(c, runtime, "alpine", generateAlpineImageData())
+ */
+ createConfig, err := parseCreateOpts(c, nil, "alpine", generateAlpineImageData())
+ if err != nil {
+ return nil, err
+ }
+ runtimeSpec, err := createConfigToOCISpec(createConfig)
+ if err != nil {
+ return nil, err
+ }
+ return runtimeSpec, nil
}
// TestPIDsLimit verifies the inputed pid-limit is correctly defined in the spec
@@ -78,7 +91,10 @@ func TestPIDsLimit(t *testing.T) {
a := createCLI()
args := []string{"--pids-limit", "22"}
a.Run(append(cmd, args...))
- runtimeSpec := getRuntimeSpec(CLI)
+ runtimeSpec, err := getRuntimeSpec(CLI)
+ if err != nil {
+ t.Fatalf(err.Error())
+ }
assert.Equal(t, runtimeSpec.Linux.Resources.Pids.Limit, int64(22))
}
@@ -87,7 +103,10 @@ func TestBLKIOWeightDevice(t *testing.T) {
a := createCLI()
args := []string{"--blkio-weight-device", "/dev/sda:100"}
a.Run(append(cmd, args...))
- runtimeSpec := getRuntimeSpec(CLI)
+ runtimeSpec, err := getRuntimeSpec(CLI)
+ if err != nil {
+ t.Fatalf(err.Error())
+ }
assert.Equal(t, *runtimeSpec.Linux.Resources.BlockIO.WeightDevice[0].Weight, uint16(100))
}
@@ -96,7 +115,10 @@ func TestMemorySwap(t *testing.T) {
a := createCLI()
args := []string{"--memory-swap", "45m", "--memory", "40m"}
a.Run(append(cmd, args...))
- runtimeSpec := getRuntimeSpec(CLI)
+ runtimeSpec, err := getRuntimeSpec(CLI)
+ if err != nil {
+ t.Fatalf(err.Error())
+ }
mem, _ := units.RAMInBytes("45m")
assert.Equal(t, *runtimeSpec.Linux.Resources.Memory.Swap, mem)
}
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index df1c54d50..59ea5685a 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -1,13 +1,13 @@
package main
import (
- "encoding/json"
"io/ioutil"
"strings"
"github.com/cri-o/ocicni/pkg/ocicni"
"github.com/docker/docker/daemon/caps"
"github.com/docker/docker/pkg/mount"
+ "github.com/docker/docker/profiles/seccomp"
"github.com/docker/go-units"
"github.com/opencontainers/runc/libcontainer/devices"
spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -290,16 +290,31 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
}
configSpec := g.Spec()
- if config.SeccompProfilePath != "" && config.SeccompProfilePath != "unconfined" {
- seccompProfile, err := ioutil.ReadFile(config.SeccompProfilePath)
- if err != nil {
- return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.SeccompProfilePath)
- }
- var seccompConfig spec.LinuxSeccomp
- if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil {
- return nil, errors.Wrapf(err, "decoding seccomp profile (%s) failed", config.SeccompProfilePath)
+ // HANDLE CAPABILITIES
+ // NOTE: Must happen before SECCOMP
+ if err := setupCapabilities(config, configSpec); err != nil {
+ return nil, err
+ }
+
+ // HANDLE SECCOMP
+ if config.SeccompProfilePath != "unconfined" {
+ if config.SeccompProfilePath != "" {
+ seccompProfile, err := ioutil.ReadFile(config.SeccompProfilePath)
+ if err != nil {
+ return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.SeccompProfilePath)
+ }
+ seccompConfig, err := seccomp.LoadProfile(string(seccompProfile), configSpec)
+ if err != nil {
+ return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
+ }
+ configSpec.Linux.Seccomp = seccompConfig
+ } else {
+ seccompConfig, err := seccomp.GetDefaultProfile(configSpec)
+ if err != nil {
+ return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
+ }
+ configSpec.Linux.Seccomp = seccompConfig
}
- configSpec.Linux.Seccomp = &seccompConfig
}
// BIND MOUNTS
@@ -319,11 +334,6 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
}
}
- // HANDLE CAPABILITIES
- if err := setupCapabilities(config, configSpec); err != nil {
- return nil, err
- }
-
// BLOCK IO
blkio, err := config.CreateBlockIO()
if err != nil {
diff --git a/libpod/runtime.go b/libpod/runtime.go
index d0362ec79..804f69c9e 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -27,6 +27,10 @@ const (
InMemoryStateStore RuntimeStateStore = iota
// SQLiteStateStore is a state backed by a SQLite database
SQLiteStateStore RuntimeStateStore = iota
+ // SeccompDefaultPath defines the default seccomp path
+ SeccompDefaultPath = "/usr/share/containers/seccomp.json"
+ // SeccompOverridePath if this exists it overrides the default seccomp path
+ SeccompOverridePath = "/etc/crio/seccomp.json"
)
// A RuntimeOption is a functional option which alters the Runtime created by
diff --git a/vendor/github.com/docker/docker/profiles/seccomp/generate.go b/vendor/github.com/docker/docker/profiles/seccomp/generate.go
new file mode 100644
index 000000000..32f22bb37
--- /dev/null
+++ b/vendor/github.com/docker/docker/profiles/seccomp/generate.go
@@ -0,0 +1,32 @@
+// +build ignore
+
+package main
+
+import (
+ "encoding/json"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+
+ "github.com/docker/docker/profiles/seccomp"
+)
+
+// saves the default seccomp profile as a json file so people can use it as a
+// base for their own custom profiles
+func main() {
+ wd, err := os.Getwd()
+ if err != nil {
+ panic(err)
+ }
+ f := filepath.Join(wd, "default.json")
+
+ // write the default profile to the file
+ b, err := json.MarshalIndent(seccomp.DefaultProfile(), "", "\t")
+ if err != nil {
+ panic(err)
+ }
+
+ if err := ioutil.WriteFile(f, b, 0644); err != nil {
+ panic(err)
+ }
+}
diff --git a/vendor/github.com/docker/docker/profiles/seccomp/seccomp.go b/vendor/github.com/docker/docker/profiles/seccomp/seccomp.go
new file mode 100644
index 000000000..07d522aad
--- /dev/null
+++ b/vendor/github.com/docker/docker/profiles/seccomp/seccomp.go
@@ -0,0 +1,160 @@
+// +build linux
+
+package seccomp
+
+import (
+ "encoding/json"
+ "errors"
+ "fmt"
+
+ "github.com/docker/docker/api/types"
+ "github.com/opencontainers/runtime-spec/specs-go"
+ libseccomp "github.com/seccomp/libseccomp-golang"
+)
+
+//go:generate go run -tags 'seccomp' generate.go
+
+// GetDefaultProfile returns the default seccomp profile.
+func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ return setupSeccomp(DefaultProfile(), rs)
+}
+
+// LoadProfile takes a json string and decodes the seccomp profile.
+func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ var config types.Seccomp
+ if err := json.Unmarshal([]byte(body), &config); err != nil {
+ return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)
+ }
+ return setupSeccomp(&config, rs)
+}
+
+var nativeToSeccomp = map[string]types.Arch{
+ "amd64": types.ArchX86_64,
+ "arm64": types.ArchAARCH64,
+ "mips64": types.ArchMIPS64,
+ "mips64n32": types.ArchMIPS64N32,
+ "mipsel64": types.ArchMIPSEL64,
+ "mipsel64n32": types.ArchMIPSEL64N32,
+ "s390x": types.ArchS390X,
+}
+
+// inSlice tests whether a string is contained in a slice of strings or not.
+// Comparison is case sensitive
+func inSlice(slice []string, s string) bool {
+ for _, ss := range slice {
+ if s == ss {
+ return true
+ }
+ }
+ return false
+}
+
+func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ if config == nil {
+ return nil, nil
+ }
+
+ // No default action specified, no syscalls listed, assume seccomp disabled
+ if config.DefaultAction == "" && len(config.Syscalls) == 0 {
+ return nil, nil
+ }
+
+ newConfig := &specs.LinuxSeccomp{}
+
+ var arch string
+ var native, err = libseccomp.GetNativeArch()
+ if err == nil {
+ arch = native.String()
+ }
+
+ if len(config.Architectures) != 0 && len(config.ArchMap) != 0 {
+ return nil, errors.New("'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'")
+ }
+
+ // if config.Architectures == 0 then libseccomp will figure out the architecture to use
+ if len(config.Architectures) != 0 {
+ for _, a := range config.Architectures {
+ newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a))
+ }
+ }
+
+ if len(config.ArchMap) != 0 {
+ for _, a := range config.ArchMap {
+ seccompArch, ok := nativeToSeccomp[arch]
+ if ok {
+ if a.Arch == seccompArch {
+ newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch))
+ for _, sa := range a.SubArches {
+ newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa))
+ }
+ break
+ }
+ }
+ }
+ }
+
+ newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)
+
+Loop:
+ // Loop through all syscall blocks and convert them to libcontainer format after filtering them
+ for _, call := range config.Syscalls {
+ if len(call.Excludes.Arches) > 0 {
+ if inSlice(call.Excludes.Arches, arch) {
+ continue Loop
+ }
+ }
+ if len(call.Excludes.Caps) > 0 {
+ for _, c := range call.Excludes.Caps {
+ if inSlice(rs.Process.Capabilities.Effective, c) {
+ continue Loop
+ }
+ }
+ }
+ if len(call.Includes.Arches) > 0 {
+ if !inSlice(call.Includes.Arches, arch) {
+ continue Loop
+ }
+ }
+ if len(call.Includes.Caps) > 0 {
+ for _, c := range call.Includes.Caps {
+ if !inSlice(rs.Process.Capabilities.Effective, c) {
+ continue Loop
+ }
+ }
+ }
+
+ if call.Name != "" && len(call.Names) != 0 {
+ return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
+ }
+
+ if call.Name != "" {
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args))
+ }
+
+ for _, n := range call.Names {
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args))
+ }
+ }
+
+ return newConfig, nil
+}
+
+func createSpecsSyscall(name string, action types.Action, args []*types.Arg) specs.LinuxSyscall {
+ newCall := specs.LinuxSyscall{
+ Names: []string{name},
+ Action: specs.LinuxSeccompAction(action),
+ }
+
+ // Loop through all the arguments of the syscall and convert them
+ for _, arg := range args {
+ newArg := specs.LinuxSeccompArg{
+ Index: arg.Index,
+ Value: arg.Value,
+ ValueTwo: arg.ValueTwo,
+ Op: specs.LinuxSeccompOperator(arg.Op),
+ }
+
+ newCall.Args = append(newCall.Args, newArg)
+ }
+ return newCall
+}
diff --git a/vendor/github.com/docker/docker/profiles/seccomp/seccomp_default.go b/vendor/github.com/docker/docker/profiles/seccomp/seccomp_default.go
new file mode 100644
index 000000000..1b5179c70
--- /dev/null
+++ b/vendor/github.com/docker/docker/profiles/seccomp/seccomp_default.go
@@ -0,0 +1,639 @@
+// +build linux,seccomp
+
+package seccomp
+
+import (
+ "github.com/docker/docker/api/types"
+ "golang.org/x/sys/unix"
+)
+
+func arches() []types.Architecture {
+ return []types.Architecture{
+ {
+ Arch: types.ArchX86_64,
+ SubArches: []types.Arch{types.ArchX86, types.ArchX32},
+ },
+ {
+ Arch: types.ArchAARCH64,
+ SubArches: []types.Arch{types.ArchARM},
+ },
+ {
+ Arch: types.ArchMIPS64,
+ SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32},
+ },
+ {
+ Arch: types.ArchMIPS64N32,
+ SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64},
+ },
+ {
+ Arch: types.ArchMIPSEL64,
+ SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32},
+ },
+ {
+ Arch: types.ArchMIPSEL64N32,
+ SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64},
+ },
+ {
+ Arch: types.ArchS390X,
+ SubArches: []types.Arch{types.ArchS390},
+ },
+ }
+}
+
+// DefaultProfile defines the whitelist for the default seccomp profile.
+func DefaultProfile() *types.Seccomp {
+ syscalls := []*types.Syscall{
+ {
+ Names: []string{
+ "accept",
+ "accept4",
+ "access",
+ "adjtimex",
+ "alarm",
+ "bind",
+ "brk",
+ "capget",
+ "capset",
+ "chdir",
+ "chmod",
+ "chown",
+ "chown32",
+ "clock_getres",
+ "clock_gettime",
+ "clock_nanosleep",
+ "close",
+ "connect",
+ "copy_file_range",
+ "creat",
+ "dup",
+ "dup2",
+ "dup3",
+ "epoll_create",
+ "epoll_create1",
+ "epoll_ctl",
+ "epoll_ctl_old",
+ "epoll_pwait",
+ "epoll_wait",
+ "epoll_wait_old",
+ "eventfd",
+ "eventfd2",
+ "execve",
+ "execveat",
+ "exit",
+ "exit_group",
+ "faccessat",
+ "fadvise64",
+ "fadvise64_64",
+ "fallocate",
+ "fanotify_mark",
+ "fchdir",
+ "fchmod",
+ "fchmodat",
+ "fchown",
+ "fchown32",
+ "fchownat",
+ "fcntl",
+ "fcntl64",
+ "fdatasync",
+ "fgetxattr",
+ "flistxattr",
+ "flock",
+ "fork",
+ "fremovexattr",
+ "fsetxattr",
+ "fstat",
+ "fstat64",
+ "fstatat64",
+ "fstatfs",
+ "fstatfs64",
+ "fsync",
+ "ftruncate",
+ "ftruncate64",
+ "futex",
+ "futimesat",
+ "getcpu",
+ "getcwd",
+ "getdents",
+ "getdents64",
+ "getegid",
+ "getegid32",
+ "geteuid",
+ "geteuid32",
+ "getgid",
+ "getgid32",
+ "getgroups",
+ "getgroups32",
+ "getitimer",
+ "getpeername",
+ "getpgid",
+ "getpgrp",
+ "getpid",
+ "getppid",
+ "getpriority",
+ "getrandom",
+ "getresgid",
+ "getresgid32",
+ "getresuid",
+ "getresuid32",
+ "getrlimit",
+ "get_robust_list",
+ "getrusage",
+ "getsid",
+ "getsockname",
+ "getsockopt",
+ "get_thread_area",
+ "gettid",
+ "gettimeofday",
+ "getuid",
+ "getuid32",
+ "getxattr",
+ "inotify_add_watch",
+ "inotify_init",
+ "inotify_init1",
+ "inotify_rm_watch",
+ "io_cancel",
+ "ioctl",
+ "io_destroy",
+ "io_getevents",
+ "ioprio_get",
+ "ioprio_set",
+ "io_setup",
+ "io_submit",
+ "ipc",
+ "kill",
+ "lchown",
+ "lchown32",
+ "lgetxattr",
+ "link",
+ "linkat",
+ "listen",
+ "listxattr",
+ "llistxattr",
+ "_llseek",
+ "lremovexattr",
+ "lseek",
+ "lsetxattr",
+ "lstat",
+ "lstat64",
+ "madvise",
+ "memfd_create",
+ "mincore",
+ "mkdir",
+ "mkdirat",
+ "mknod",
+ "mknodat",
+ "mlock",
+ "mlock2",
+ "mlockall",
+ "mmap",
+ "mmap2",
+ "mprotect",
+ "mq_getsetattr",
+ "mq_notify",
+ "mq_open",
+ "mq_timedreceive",
+ "mq_timedsend",
+ "mq_unlink",
+ "mremap",
+ "msgctl",
+ "msgget",
+ "msgrcv",
+ "msgsnd",
+ "msync",
+ "munlock",
+ "munlockall",
+ "munmap",
+ "nanosleep",
+ "newfstatat",
+ "_newselect",
+ "open",
+ "openat",
+ "pause",
+ "pipe",
+ "pipe2",
+ "poll",
+ "ppoll",
+ "prctl",
+ "pread64",
+ "preadv",
+ "preadv2",
+ "prlimit64",
+ "pselect6",
+ "pwrite64",
+ "pwritev",
+ "pwritev2",
+ "read",
+ "readahead",
+ "readlink",
+ "readlinkat",
+ "readv",
+ "recv",
+ "recvfrom",
+ "recvmmsg",
+ "recvmsg",
+ "remap_file_pages",
+ "removexattr",
+ "rename",
+ "renameat",
+ "renameat2",
+ "restart_syscall",
+ "rmdir",
+ "rt_sigaction",
+ "rt_sigpending",
+ "rt_sigprocmask",
+ "rt_sigqueueinfo",
+ "rt_sigreturn",
+ "rt_sigsuspend",
+ "rt_sigtimedwait",
+ "rt_tgsigqueueinfo",
+ "sched_getaffinity",
+ "sched_getattr",
+ "sched_getparam",
+ "sched_get_priority_max",
+ "sched_get_priority_min",
+ "sched_getscheduler",
+ "sched_rr_get_interval",
+ "sched_setaffinity",
+ "sched_setattr",
+ "sched_setparam",
+ "sched_setscheduler",
+ "sched_yield",
+ "seccomp",
+ "select",
+ "semctl",
+ "semget",
+ "semop",
+ "semtimedop",
+ "send",
+ "sendfile",
+ "sendfile64",
+ "sendmmsg",
+ "sendmsg",
+ "sendto",
+ "setfsgid",
+ "setfsgid32",
+ "setfsuid",
+ "setfsuid32",
+ "setgid",
+ "setgid32",
+ "setgroups",
+ "setgroups32",
+ "setitimer",
+ "setpgid",
+ "setpriority",
+ "setregid",
+ "setregid32",
+ "setresgid",
+ "setresgid32",
+ "setresuid",
+ "setresuid32",
+ "setreuid",
+ "setreuid32",
+ "setrlimit",
+ "set_robust_list",
+ "setsid",
+ "setsockopt",
+ "set_thread_area",
+ "set_tid_address",
+ "setuid",
+ "setuid32",
+ "setxattr",
+ "shmat",
+ "shmctl",
+ "shmdt",
+ "shmget",
+ "shutdown",
+ "sigaltstack",
+ "signalfd",
+ "signalfd4",
+ "sigreturn",
+ "socket",
+ "socketcall",
+ "socketpair",
+ "splice",
+ "stat",
+ "stat64",
+ "statfs",
+ "statfs64",
+ "symlink",
+ "symlinkat",
+ "sync",
+ "sync_file_range",
+ "syncfs",
+ "sysinfo",
+ "syslog",
+ "tee",
+ "tgkill",
+ "time",
+ "timer_create",
+ "timer_delete",
+ "timerfd_create",
+ "timerfd_gettime",
+ "timerfd_settime",
+ "timer_getoverrun",
+ "timer_gettime",
+ "timer_settime",
+ "times",
+ "tkill",
+ "truncate",
+ "truncate64",
+ "ugetrlimit",
+ "umask",
+ "uname",
+ "unlink",
+ "unlinkat",
+ "utime",
+ "utimensat",
+ "utimes",
+ "vfork",
+ "vmsplice",
+ "wait4",
+ "waitid",
+ "waitpid",
+ "write",
+ "writev",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ },
+ {
+ Names: []string{"personality"},
+ Action: types.ActAllow,
+ Args: []*types.Arg{
+ {
+ Index: 0,
+ Value: 0x0,
+ Op: types.OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{"personality"},
+ Action: types.ActAllow,
+ Args: []*types.Arg{
+ {
+ Index: 0,
+ Value: 0x0008,
+ Op: types.OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{"personality"},
+ Action: types.ActAllow,
+ Args: []*types.Arg{
+ {
+ Index: 0,
+ Value: 0x20000,
+ Op: types.OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{"personality"},
+ Action: types.ActAllow,
+ Args: []*types.Arg{
+ {
+ Index: 0,
+ Value: 0x20008,
+ Op: types.OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{"personality"},
+ Action: types.ActAllow,
+ Args: []*types.Arg{
+ {
+ Index: 0,
+ Value: 0xffffffff,
+ Op: types.OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{
+ "sync_file_range2",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Arches: []string{"ppc64le"},
+ },
+ },
+ {
+ Names: []string{
+ "arm_fadvise64_64",
+ "arm_sync_file_range",
+ "sync_file_range2",
+ "breakpoint",
+ "cacheflush",
+ "set_tls",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Arches: []string{"arm", "arm64"},
+ },
+ },
+ {
+ Names: []string{
+ "arch_prctl",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Arches: []string{"amd64", "x32"},
+ },
+ },
+ {
+ Names: []string{
+ "modify_ldt",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Arches: []string{"amd64", "x32", "x86"},
+ },
+ },
+ {
+ Names: []string{
+ "s390_pci_mmio_read",
+ "s390_pci_mmio_write",
+ "s390_runtime_instr",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Arches: []string{"s390", "s390x"},
+ },
+ },
+ {
+ Names: []string{
+ "open_by_handle_at",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Caps: []string{"CAP_DAC_READ_SEARCH"},
+ },
+ },
+ {
+ Names: []string{
+ "bpf",
+ "clone",
+ "fanotify_init",
+ "lookup_dcookie",
+ "mount",
+ "name_to_handle_at",
+ "perf_event_open",
+ "quotactl",
+ "setdomainname",
+ "sethostname",
+ "setns",
+ "umount",
+ "umount2",
+ "unshare",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Caps: []string{"CAP_SYS_ADMIN"},
+ },
+ },
+ {
+ Names: []string{
+ "clone",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{
+ {
+ Index: 0,
+ Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
+ ValueTwo: 0,
+ Op: types.OpMaskedEqual,
+ },
+ },
+ Excludes: types.Filter{
+ Caps: []string{"CAP_SYS_ADMIN"},
+ Arches: []string{"s390", "s390x"},
+ },
+ },
+ {
+ Names: []string{
+ "clone",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{
+ {
+ Index: 1,
+ Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
+ ValueTwo: 0,
+ Op: types.OpMaskedEqual,
+ },
+ },
+ Comment: "s390 parameter ordering for clone is different",
+ Includes: types.Filter{
+ Arches: []string{"s390", "s390x"},
+ },
+ Excludes: types.Filter{
+ Caps: []string{"CAP_SYS_ADMIN"},
+ },
+ },
+ {
+ Names: []string{
+ "reboot",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Caps: []string{"CAP_SYS_BOOT"},
+ },
+ },
+ {
+ Names: []string{
+ "chroot",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Caps: []string{"CAP_SYS_CHROOT"},
+ },
+ },
+ {
+ Names: []string{
+ "delete_module",
+ "init_module",
+ "finit_module",
+ "query_module",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Caps: []string{"CAP_SYS_MODULE"},
+ },
+ },
+ {
+ Names: []string{
+ "acct",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Caps: []string{"CAP_SYS_PACCT"},
+ },
+ },
+ {
+ Names: []string{
+ "kcmp",
+ "process_vm_readv",
+ "process_vm_writev",
+ "ptrace",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Caps: []string{"CAP_SYS_PTRACE"},
+ },
+ },
+ {
+ Names: []string{
+ "iopl",
+ "ioperm",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Caps: []string{"CAP_SYS_RAWIO"},
+ },
+ },
+ {
+ Names: []string{
+ "settimeofday",
+ "stime",
+ "clock_settime",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Caps: []string{"CAP_SYS_TIME"},
+ },
+ },
+ {
+ Names: []string{
+ "vhangup",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Caps: []string{"CAP_SYS_TTY_CONFIG"},
+ },
+ },
+ }
+
+ return &types.Seccomp{
+ DefaultAction: types.ActErrno,
+ ArchMap: arches(),
+ Syscalls: syscalls,
+ }
+}
diff --git a/vendor/github.com/docker/docker/profiles/seccomp/seccomp_unsupported.go b/vendor/github.com/docker/docker/profiles/seccomp/seccomp_unsupported.go
new file mode 100644
index 000000000..0130effa6
--- /dev/null
+++ b/vendor/github.com/docker/docker/profiles/seccomp/seccomp_unsupported.go
@@ -0,0 +1,12 @@
+// +build linux,!seccomp
+
+package seccomp
+
+import (
+ "github.com/docker/docker/api/types"
+)
+
+// DefaultProfile returns a nil pointer on unsupported systems.
+func DefaultProfile() *types.Seccomp {
+ return nil
+}