summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2018-06-28 14:30:34 -0400
committerAtomic Bot <atomic-devel@projectatomic.io>2018-06-29 13:18:41 +0000
commit810f2b6061c710a15aaee46c758e71ea9a2920fa (patch)
treeba81ba03ddd25963bb68b0349c25ee066d0a96be
parentc09bbe8e068cb0648242a9345f2f22a6d1db90e0 (diff)
downloadpodman-810f2b6061c710a15aaee46c758e71ea9a2920fa.tar.gz
podman-810f2b6061c710a15aaee46c758e71ea9a2920fa.tar.bz2
podman-810f2b6061c710a15aaee46c758e71ea9a2920fa.zip
Start using github.com/seccomp/containers-golang
User newer seccomp bindings from the seccomp upstream Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1021 Approved by: giuseppe
-rw-r--r--pkg/spec/spec.go2
-rw-r--r--vendor.conf1
-rw-r--r--vendor/github.com/seccomp/containers-golang/README.md21
-rw-r--r--vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go656
-rw-r--r--vendor/github.com/seccomp/containers-golang/seccomp_linux.go159
-rw-r--r--vendor/github.com/seccomp/containers-golang/seccomp_unsupported.go24
-rw-r--r--vendor/github.com/seccomp/containers-golang/types.go93
-rw-r--r--vendor/github.com/seccomp/containers-golang/vendor.conf9
8 files changed, 964 insertions, 1 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 2cef3ecc0..2faa3c2cd 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -5,13 +5,13 @@ import (
"github.com/docker/docker/daemon/caps"
"github.com/docker/docker/pkg/mount"
- "github.com/docker/docker/profiles/seccomp"
"github.com/docker/go-units"
"github.com/opencontainers/runc/libcontainer/devices"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
"github.com/pkg/errors"
"github.com/projectatomic/libpod/pkg/rootless"
+ seccomp "github.com/seccomp/containers-golang"
"github.com/sirupsen/logrus"
"io/ioutil"
)
diff --git a/vendor.conf b/vendor.conf
index c2d72bfb8..1cee0c93e 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -55,6 +55,7 @@ github.com/pkg/errors v0.8.0
github.com/pmezard/go-difflib 792786c7400a136282c1664665ae0a8db921c6c2
github.com/pquerna/ffjson d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac
github.com/seccomp/libseccomp-golang v0.9.0
+github.com/seccomp/containers-golang master
github.com/sirupsen/logrus v1.0.0
github.com/spf13/pflag 9ff6c6923cfffbcd502984b8e0c80539a94968b7
github.com/stretchr/testify 4d4bfba8f1d1027c4fdbe371823030df51419987
diff --git a/vendor/github.com/seccomp/containers-golang/README.md b/vendor/github.com/seccomp/containers-golang/README.md
new file mode 100644
index 000000000..43aa9db41
--- /dev/null
+++ b/vendor/github.com/seccomp/containers-golang/README.md
@@ -0,0 +1,21 @@
+`containers-golang` is a set of Go libraries used by container runtimes to generate and load seccomp mappings into the kernel.
+
+seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. It was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005.[1] seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL or SIGSYS[2][3]. In this sense, it does not virtualize the system's resources but isolates the process from them entirely.
+
+## Dependencies
+
+## Building
+
+### Supported build tags
+
+## Contributing
+
+When developing this library, please use `make` (or `make … BUILDTAGS=…`) to take advantage of the tests and validation.
+
+## License
+
+ASL 2.0
+
+## Contact
+
+- IRC: #[CRI-O](irc://irc.freenode.net:6667/#cri-o) on freenode.net
diff --git a/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go b/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go
new file mode 100644
index 000000000..fde3cff75
--- /dev/null
+++ b/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go
@@ -0,0 +1,656 @@
+// +build seccomp
+
+package seccomp // import "github.com/seccomp/containers-golang"
+
+import (
+ "golang.org/x/sys/unix"
+)
+
+func arches() []Architecture {
+ return []Architecture{
+ {
+ Arch: ArchX86_64,
+ SubArches: []Arch{ArchX86, ArchX32},
+ },
+ {
+ Arch: ArchAARCH64,
+ SubArches: []Arch{ArchARM},
+ },
+ {
+ Arch: ArchMIPS64,
+ SubArches: []Arch{ArchMIPS, ArchMIPS64N32},
+ },
+ {
+ Arch: ArchMIPS64N32,
+ SubArches: []Arch{ArchMIPS, ArchMIPS64},
+ },
+ {
+ Arch: ArchMIPSEL64,
+ SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64N32},
+ },
+ {
+ Arch: ArchMIPSEL64N32,
+ SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64},
+ },
+ {
+ Arch: ArchS390X,
+ SubArches: []Arch{ArchS390},
+ },
+ }
+}
+
+// DefaultProfile defines the whitelist for the default seccomp profile.
+func DefaultProfile() *Seccomp {
+ syscalls := []*Syscall{
+ {
+ Names: []string{
+ "accept",
+ "accept4",
+ "access",
+ "adjtimex",
+ "alarm",
+ "bind",
+ "brk",
+ "capget",
+ "capset",
+ "chdir",
+ "chmod",
+ "chown",
+ "chown32",
+ "clock_getres",
+ "clock_gettime",
+ "clock_nanosleep",
+ "close",
+ "connect",
+ "copy_file_range",
+ "creat",
+ "dup",
+ "dup2",
+ "dup3",
+ "epoll_create",
+ "epoll_create1",
+ "epoll_ctl",
+ "epoll_ctl_old",
+ "epoll_pwait",
+ "epoll_wait",
+ "epoll_wait_old",
+ "eventfd",
+ "eventfd2",
+ "execve",
+ "execveat",
+ "exit",
+ "exit_group",
+ "faccessat",
+ "fadvise64",
+ "fadvise64_64",
+ "fallocate",
+ "fanotify_mark",
+ "fchdir",
+ "fchmod",
+ "fchmodat",
+ "fchown",
+ "fchown32",
+ "fchownat",
+ "fcntl",
+ "fcntl64",
+ "fdatasync",
+ "fgetxattr",
+ "flistxattr",
+ "flock",
+ "fork",
+ "fremovexattr",
+ "fsetxattr",
+ "fstat",
+ "fstat64",
+ "fstatat64",
+ "fstatfs",
+ "fstatfs64",
+ "fsync",
+ "ftruncate",
+ "ftruncate64",
+ "futex",
+ "futimesat",
+ "getcpu",
+ "getcwd",
+ "getdents",
+ "getdents64",
+ "getegid",
+ "getegid32",
+ "geteuid",
+ "geteuid32",
+ "getgid",
+ "getgid32",
+ "getgroups",
+ "getgroups32",
+ "getitimer",
+ "getpeername",
+ "getpgid",
+ "getpgrp",
+ "getpid",
+ "getppid",
+ "getpriority",
+ "getrandom",
+ "getresgid",
+ "getresgid32",
+ "getresuid",
+ "getresuid32",
+ "getrlimit",
+ "get_robust_list",
+ "getrusage",
+ "getsid",
+ "getsockname",
+ "getsockopt",
+ "get_thread_area",
+ "gettid",
+ "gettimeofday",
+ "getuid",
+ "getuid32",
+ "getxattr",
+ "inotify_add_watch",
+ "inotify_init",
+ "inotify_init1",
+ "inotify_rm_watch",
+ "io_cancel",
+ "ioctl",
+ "io_destroy",
+ "io_getevents",
+ "ioprio_get",
+ "ioprio_set",
+ "io_setup",
+ "io_submit",
+ "ipc",
+ "kill",
+ "lchown",
+ "lchown32",
+ "lgetxattr",
+ "link",
+ "linkat",
+ "listen",
+ "listxattr",
+ "llistxattr",
+ "_llseek",
+ "lremovexattr",
+ "lseek",
+ "lsetxattr",
+ "lstat",
+ "lstat64",
+ "madvise",
+ "memfd_create",
+ "mincore",
+ "mkdir",
+ "mkdirat",
+ "mknod",
+ "mknodat",
+ "mlock",
+ "mlock2",
+ "mlockall",
+ "mmap",
+ "mmap2",
+ "mount",
+ "mprotect",
+ "mq_getsetattr",
+ "mq_notify",
+ "mq_open",
+ "mq_timedreceive",
+ "mq_timedsend",
+ "mq_unlink",
+ "mremap",
+ "msgctl",
+ "msgget",
+ "msgrcv",
+ "msgsnd",
+ "msync",
+ "munlock",
+ "munlockall",
+ "munmap",
+ "name_to_handle_at",
+ "nanosleep",
+ "newfstatat",
+ "_newselect",
+ "open",
+ "openat",
+ "pause",
+ "pipe",
+ "pipe2",
+ "poll",
+ "ppoll",
+ "prctl",
+ "pread64",
+ "preadv",
+ "preadv2",
+ "prlimit64",
+ "pselect6",
+ "pwrite64",
+ "pwritev",
+ "pwritev2",
+ "read",
+ "readahead",
+ "readlink",
+ "readlinkat",
+ "readv",
+ "reboot",
+ "recv",
+ "recvfrom",
+ "recvmmsg",
+ "recvmsg",
+ "remap_file_pages",
+ "removexattr",
+ "rename",
+ "renameat",
+ "renameat2",
+ "restart_syscall",
+ "rmdir",
+ "rt_sigaction",
+ "rt_sigpending",
+ "rt_sigprocmask",
+ "rt_sigqueueinfo",
+ "rt_sigreturn",
+ "rt_sigsuspend",
+ "rt_sigtimedwait",
+ "rt_tgsigqueueinfo",
+ "sched_getaffinity",
+ "sched_getattr",
+ "sched_getparam",
+ "sched_get_priority_max",
+ "sched_get_priority_min",
+ "sched_getscheduler",
+ "sched_rr_get_interval",
+ "sched_setaffinity",
+ "sched_setattr",
+ "sched_setparam",
+ "sched_setscheduler",
+ "sched_yield",
+ "seccomp",
+ "select",
+ "semctl",
+ "semget",
+ "semop",
+ "semtimedop",
+ "send",
+ "sendfile",
+ "sendfile64",
+ "sendmmsg",
+ "sendmsg",
+ "sendto",
+ "setfsgid",
+ "setfsgid32",
+ "setfsuid",
+ "setfsuid32",
+ "setgid",
+ "setgid32",
+ "setgroups",
+ "setgroups32",
+ "setitimer",
+ "setpgid",
+ "setpriority",
+ "setregid",
+ "setregid32",
+ "setresgid",
+ "setresgid32",
+ "setresuid",
+ "setresuid32",
+ "setreuid",
+ "setreuid32",
+ "setrlimit",
+ "set_robust_list",
+ "setsid",
+ "setsockopt",
+ "set_thread_area",
+ "set_tid_address",
+ "setuid",
+ "setuid32",
+ "setxattr",
+ "shmat",
+ "shmctl",
+ "shmdt",
+ "shmget",
+ "shutdown",
+ "sigaltstack",
+ "signalfd",
+ "signalfd4",
+ "sigreturn",
+ "socket",
+ "socketcall",
+ "socketpair",
+ "splice",
+ "stat",
+ "stat64",
+ "statfs",
+ "statfs64",
+ "statx",
+ "symlink",
+ "symlinkat",
+ "sync",
+ "sync_file_range",
+ "syncfs",
+ "sysinfo",
+ "syslog",
+ "tee",
+ "tgkill",
+ "time",
+ "timer_create",
+ "timer_delete",
+ "timerfd_create",
+ "timerfd_gettime",
+ "timerfd_settime",
+ "timer_getoverrun",
+ "timer_gettime",
+ "timer_settime",
+ "times",
+ "tkill",
+ "truncate",
+ "truncate64",
+ "ugetrlimit",
+ "umask",
+ "umount",
+ "uname",
+ "unlink",
+ "unlinkat",
+ "utime",
+ "utimensat",
+ "utimes",
+ "vfork",
+ "vmsplice",
+ "wait4",
+ "waitid",
+ "waitpid",
+ "write",
+ "writev",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ },
+ {
+ Names: []string{"personality"},
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: 0x0,
+ Op: OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{"personality"},
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: 0x0008,
+ Op: OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{"personality"},
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: 0x20000,
+ Op: OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{"personality"},
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: 0x20008,
+ Op: OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{"personality"},
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: 0xffffffff,
+ Op: OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{
+ "sync_file_range2",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Arches: []string{"ppc64le"},
+ },
+ },
+ {
+ Names: []string{
+ "arm_fadvise64_64",
+ "arm_sync_file_range",
+ "sync_file_range2",
+ "breakpoint",
+ "cacheflush",
+ "set_tls",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Arches: []string{"arm", "arm64"},
+ },
+ },
+ {
+ Names: []string{
+ "arch_prctl",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Arches: []string{"amd64", "x32"},
+ },
+ },
+ {
+ Names: []string{
+ "modify_ldt",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Arches: []string{"amd64", "x32", "x86"},
+ },
+ },
+ {
+ Names: []string{
+ "s390_pci_mmio_read",
+ "s390_pci_mmio_write",
+ "s390_runtime_instr",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Arches: []string{"s390", "s390x"},
+ },
+ },
+ {
+ Names: []string{
+ "open_by_handle_at",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_DAC_READ_SEARCH"},
+ },
+ },
+ {
+ Names: []string{
+ "bpf",
+ "clone",
+ "fanotify_init",
+ "lookup_dcookie",
+ "mount",
+ "name_to_handle_at",
+ "perf_event_open",
+ "quotactl",
+ "setdomainname",
+ "sethostname",
+ "setns",
+ "umount",
+ "umount2",
+ "unshare",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_ADMIN"},
+ },
+ },
+ {
+ Names: []string{
+ "clone",
+ },
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
+ ValueTwo: 0,
+ Op: OpMaskedEqual,
+ },
+ },
+ Excludes: Filter{
+ Caps: []string{"CAP_SYS_ADMIN"},
+ Arches: []string{"s390", "s390x"},
+ },
+ },
+ {
+ Names: []string{
+ "clone",
+ },
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 1,
+ Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
+ ValueTwo: 0,
+ Op: OpMaskedEqual,
+ },
+ },
+ Comment: "s390 parameter ordering for clone is different",
+ Includes: Filter{
+ Arches: []string{"s390", "s390x"},
+ },
+ Excludes: Filter{
+ Caps: []string{"CAP_SYS_ADMIN"},
+ },
+ },
+ {
+ Names: []string{
+ "reboot",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_BOOT"},
+ },
+ },
+ {
+ Names: []string{
+ "chroot",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_CHROOT"},
+ },
+ },
+ {
+ Names: []string{
+ "delete_module",
+ "init_module",
+ "finit_module",
+ "query_module",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_MODULE"},
+ },
+ },
+ {
+ Names: []string{
+ "get_mempolicy",
+ "mbind",
+ "name_to_handle_at",
+ "set_mempolicy",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_NICE"},
+ },
+ },
+ {
+ Names: []string{
+ "acct",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_PACCT"},
+ },
+ },
+ {
+ Names: []string{
+ "kcmp",
+ "process_vm_readv",
+ "process_vm_writev",
+ "ptrace",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_PTRACE"},
+ },
+ },
+ {
+ Names: []string{
+ "iopl",
+ "ioperm",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_RAWIO"},
+ },
+ },
+ {
+ Names: []string{
+ "settimeofday",
+ "stime",
+ "clock_settime",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_TIME"},
+ },
+ },
+ {
+ Names: []string{
+ "vhangup",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_TTY_CONFIG"},
+ },
+ },
+ }
+
+ return &Seccomp{
+ DefaultAction: ActErrno,
+ ArchMap: arches(),
+ Syscalls: syscalls,
+ }
+}
diff --git a/vendor/github.com/seccomp/containers-golang/seccomp_linux.go b/vendor/github.com/seccomp/containers-golang/seccomp_linux.go
new file mode 100644
index 000000000..9a495e3e2
--- /dev/null
+++ b/vendor/github.com/seccomp/containers-golang/seccomp_linux.go
@@ -0,0 +1,159 @@
+// +build seccomp
+
+package seccomp // import "github.com/seccomp/containers-golang"
+
+import (
+ "encoding/json"
+ "errors"
+ "fmt"
+
+ "github.com/opencontainers/runtime-spec/specs-go"
+ libseccomp "github.com/seccomp/libseccomp-golang"
+)
+
+//go:generate go run -tags 'seccomp' generate.go
+
+// GetDefaultProfile returns the default seccomp profile.
+func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ return setupSeccomp(DefaultProfile(), rs)
+}
+
+// LoadProfile takes a json string and decodes the seccomp profile.
+func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ var config Seccomp
+ if err := json.Unmarshal([]byte(body), &config); err != nil {
+ return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)
+ }
+ return setupSeccomp(&config, rs)
+}
+
+var nativeToSeccomp = map[string]Arch{
+ "amd64": ArchX86_64,
+ "arm64": ArchAARCH64,
+ "mips64": ArchMIPS64,
+ "mips64n32": ArchMIPS64N32,
+ "mipsel64": ArchMIPSEL64,
+ "mipsel64n32": ArchMIPSEL64N32,
+ "s390x": ArchS390X,
+}
+
+// inSlice tests whether a string is contained in a slice of strings or not.
+// Comparison is case sensitive
+func inSlice(slice []string, s string) bool {
+ for _, ss := range slice {
+ if s == ss {
+ return true
+ }
+ }
+ return false
+}
+
+func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ if config == nil {
+ return nil, nil
+ }
+
+ // No default action specified, no syscalls listed, assume seccomp disabled
+ if config.DefaultAction == "" && len(config.Syscalls) == 0 {
+ return nil, nil
+ }
+
+ newConfig := &specs.LinuxSeccomp{}
+
+ var arch string
+ var native, err = libseccomp.GetNativeArch()
+ if err == nil {
+ arch = native.String()
+ }
+
+ if len(config.Architectures) != 0 && len(config.ArchMap) != 0 {
+ return nil, errors.New("'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'")
+ }
+
+ // if config.Architectures == 0 then libseccomp will figure out the architecture to use
+ if len(config.Architectures) != 0 {
+ for _, a := range config.Architectures {
+ newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a))
+ }
+ }
+
+ if len(config.ArchMap) != 0 {
+ for _, a := range config.ArchMap {
+ seccompArch, ok := nativeToSeccomp[arch]
+ if ok {
+ if a.Arch == seccompArch {
+ newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch))
+ for _, sa := range a.SubArches {
+ newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa))
+ }
+ break
+ }
+ }
+ }
+ }
+
+ newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)
+
+Loop:
+ // Loop through all syscall blocks and convert them to libcontainer format after filtering them
+ for _, call := range config.Syscalls {
+ if len(call.Excludes.Arches) > 0 {
+ if inSlice(call.Excludes.Arches, arch) {
+ continue Loop
+ }
+ }
+ if len(call.Excludes.Caps) > 0 {
+ for _, c := range call.Excludes.Caps {
+ if inSlice(rs.Process.Capabilities.Bounding, c) {
+ continue Loop
+ }
+ }
+ }
+ if len(call.Includes.Arches) > 0 {
+ if !inSlice(call.Includes.Arches, arch) {
+ continue Loop
+ }
+ }
+ if len(call.Includes.Caps) > 0 {
+ for _, c := range call.Includes.Caps {
+ if !inSlice(rs.Process.Capabilities.Bounding, c) {
+ continue Loop
+ }
+ }
+ }
+
+ if call.Name != "" && len(call.Names) != 0 {
+ return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
+ }
+
+ if call.Name != "" {
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args))
+ }
+
+ for _, n := range call.Names {
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args))
+ }
+ }
+
+ return newConfig, nil
+}
+
+func createSpecsSyscall(name string, action Action, args []*Arg) specs.LinuxSyscall {
+ newCall := specs.LinuxSyscall{
+ Names: []string{name},
+ Action: specs.LinuxSeccompAction(action),
+ }
+
+ // Loop through all the arguments of the syscall and convert them
+ for _, arg := range args {
+ newArg := specs.LinuxSeccompArg{
+ Index: arg.Index,
+ Value: arg.Value,
+ ValueTwo: arg.ValueTwo,
+ Op: specs.LinuxSeccompOperator(arg.Op),
+ }
+
+ newCall.Args = append(newCall.Args, newArg)
+ }
+ return newCall
+}
diff --git a/vendor/github.com/seccomp/containers-golang/seccomp_unsupported.go b/vendor/github.com/seccomp/containers-golang/seccomp_unsupported.go
new file mode 100644
index 000000000..279340426
--- /dev/null
+++ b/vendor/github.com/seccomp/containers-golang/seccomp_unsupported.go
@@ -0,0 +1,24 @@
+// +build !seccomp
+
+package seccomp // import "github.com/seccomp/containers-golang"
+
+import (
+ "fmt"
+
+ "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// DefaultProfile returns a nil pointer on unsupported systems.
+func DefaultProfile() *Seccomp {
+ return nil
+}
+
+// LoadProfile returns an error on unsuppored systems
+func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ return nil, fmt.Errorf("Seccomp not supported on this platform")
+}
+
+// GetDefaultProfile returns an error on unsuppored systems
+func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ return nil, fmt.Errorf("Seccomp not supported on this platform")
+}
diff --git a/vendor/github.com/seccomp/containers-golang/types.go b/vendor/github.com/seccomp/containers-golang/types.go
new file mode 100644
index 000000000..b549a55fe
--- /dev/null
+++ b/vendor/github.com/seccomp/containers-golang/types.go
@@ -0,0 +1,93 @@
+package seccomp // import "github.com/seccomp/containers-golang"
+
+// Seccomp represents the config for a seccomp profile for syscall restriction.
+type Seccomp struct {
+ DefaultAction Action `json:"defaultAction"`
+ // Architectures is kept to maintain backward compatibility with the old
+ // seccomp profile.
+ Architectures []Arch `json:"architectures,omitempty"`
+ ArchMap []Architecture `json:"archMap,omitempty"`
+ Syscalls []*Syscall `json:"syscalls"`
+}
+
+// Architecture is used to represent a specific architecture
+// and its sub-architectures
+type Architecture struct {
+ Arch Arch `json:"architecture"`
+ SubArches []Arch `json:"subArchitectures"`
+}
+
+// Arch used for architectures
+type Arch string
+
+// Additional architectures permitted to be used for system calls
+// By default only the native architecture of the kernel is permitted
+const (
+ ArchX86 Arch = "SCMP_ARCH_X86"
+ ArchX86_64 Arch = "SCMP_ARCH_X86_64"
+ ArchX32 Arch = "SCMP_ARCH_X32"
+ ArchARM Arch = "SCMP_ARCH_ARM"
+ ArchAARCH64 Arch = "SCMP_ARCH_AARCH64"
+ ArchMIPS Arch = "SCMP_ARCH_MIPS"
+ ArchMIPS64 Arch = "SCMP_ARCH_MIPS64"
+ ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32"
+ ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL"
+ ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64"
+ ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
+ ArchPPC Arch = "SCMP_ARCH_PPC"
+ ArchPPC64 Arch = "SCMP_ARCH_PPC64"
+ ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE"
+ ArchS390 Arch = "SCMP_ARCH_S390"
+ ArchS390X Arch = "SCMP_ARCH_S390X"
+)
+
+// Action taken upon Seccomp rule match
+type Action string
+
+// Define actions for Seccomp rules
+const (
+ ActKill Action = "SCMP_ACT_KILL"
+ ActTrap Action = "SCMP_ACT_TRAP"
+ ActErrno Action = "SCMP_ACT_ERRNO"
+ ActTrace Action = "SCMP_ACT_TRACE"
+ ActAllow Action = "SCMP_ACT_ALLOW"
+)
+
+// Operator used to match syscall arguments in Seccomp
+type Operator string
+
+// Define operators for syscall arguments in Seccomp
+const (
+ OpNotEqual Operator = "SCMP_CMP_NE"
+ OpLessThan Operator = "SCMP_CMP_LT"
+ OpLessEqual Operator = "SCMP_CMP_LE"
+ OpEqualTo Operator = "SCMP_CMP_EQ"
+ OpGreaterEqual Operator = "SCMP_CMP_GE"
+ OpGreaterThan Operator = "SCMP_CMP_GT"
+ OpMaskedEqual Operator = "SCMP_CMP_MASKED_EQ"
+)
+
+// Arg used for matching specific syscall arguments in Seccomp
+type Arg struct {
+ Index uint `json:"index"`
+ Value uint64 `json:"value"`
+ ValueTwo uint64 `json:"valueTwo"`
+ Op Operator `json:"op"`
+}
+
+// Filter is used to conditionally apply Seccomp rules
+type Filter struct {
+ Caps []string `json:"caps,omitempty"`
+ Arches []string `json:"arches,omitempty"`
+}
+
+// Syscall is used to match a group of syscalls in Seccomp
+type Syscall struct {
+ Name string `json:"name,omitempty"`
+ Names []string `json:"names,omitempty"`
+ Action Action `json:"action"`
+ Args []*Arg `json:"args"`
+ Comment string `json:"comment"`
+ Includes Filter `json:"includes"`
+ Excludes Filter `json:"excludes"`
+}
diff --git a/vendor/github.com/seccomp/containers-golang/vendor.conf b/vendor/github.com/seccomp/containers-golang/vendor.conf
new file mode 100644
index 000000000..6111c475b
--- /dev/null
+++ b/vendor/github.com/seccomp/containers-golang/vendor.conf
@@ -0,0 +1,9 @@
+github.com/opencontainers/runtime-tools master
+github.com/blang/semver master
+github.com/hashicorp/go-multierror master
+github.com/hashicorp/errwrap master
+github.com/syndtr/gocapability master
+github.com/xeipuuv/gojsonschema master
+github.com/xeipuuv/gojsonreference master
+github.com/xeipuuv/gojsonpointer master
+