add pkg/seccomp

Add pkg/seccomp to consolidate all seccomp-policy related code which is
currently scattered across multiple packages and complicating the
creatconfig refactoring.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

2 files changed, 8 insertions, 49 deletions

diff --git a/pkg/spec/config_linux_cgo.go b/pkg/spec/config_linux_cgo.go
index ae83c9d52..05f42c4da 100644
--- a/pkg/spec/config_linux_cgo.go
+++ b/pkg/spec/config_linux_cgo.go
@@ -5,9 +5,10 @@ package createconfig
 import (
 	"io/ioutil"
 
+	"github.com/containers/libpod/pkg/seccomp"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
-	seccomp "github.com/seccomp/containers-golang"
+	goSeccomp "github.com/seccomp/containers-golang"
 	"github.com/sirupsen/logrus"
 )
 
@@ -15,9 +16,9 @@ func getSeccompConfig(config *SecurityConfig, configSpec *spec.Spec) (*spec.Linu
 	var seccompConfig *spec.LinuxSeccomp
 	var err error
 
-	if config.SeccompPolicy == SeccompPolicyImage && config.SeccompProfileFromImage != "" {
+	if config.SeccompPolicy == seccomp.PolicyImage && config.SeccompProfileFromImage != "" {
 		logrus.Debug("Loading seccomp profile from the security config")
-		seccompConfig, err = seccomp.LoadProfile(config.SeccompProfileFromImage, configSpec)
+		seccompConfig, err = goSeccomp.LoadProfile(config.SeccompProfileFromImage, configSpec)
 		if err != nil {
 			return nil, errors.Wrap(err, "loading seccomp profile failed")
 		}
@@ -30,13 +31,13 @@ func getSeccompConfig(config *SecurityConfig, configSpec *spec.Spec) (*spec.Linu
 		if err != nil {
 			return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.SeccompProfilePath)
 		}
-		seccompConfig, err = seccomp.LoadProfile(string(seccompProfile), configSpec)
+		seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec)
 		if err != nil {
 			return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
 		}
 	} else {
 		logrus.Debug("Loading default seccomp profile")
-		seccompConfig, err = seccomp.GetDefaultProfile(configSpec)
+		seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec)
 		if err != nil {
 			return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
 		}
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index fb222083b..173dfb842 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -2,7 +2,6 @@ package createconfig
 
 import (
 	"os"
-	"sort"
 	"strconv"
 	"strings"
 	"syscall"
@@ -11,6 +10,7 @@ import (
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/pkg/namespaces"
+	"github.com/containers/libpod/pkg/seccomp"
 	"github.com/containers/storage"
 	"github.com/docker/go-connections/nat"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -107,48 +107,6 @@ type NetworkConfig struct {
 	PublishAll   bool     //publish-all
 }
 
-// SeccompPolicy determines which seccomp profile gets applied to the container.
-type SeccompPolicy int
-
-const (
-	// SeccompPolicyDefault - if set use SecurityConfig.SeccompProfilePath,
-	// otherwise use the default profile.  The SeccompProfilePath might be
-	// explicitly set by the user.
-	SeccompPolicyDefault SeccompPolicy = iota
-	// SeccompPolicyImage - if set use SecurityConfig.SeccompProfileFromImage,
-	// otherwise follow SeccompPolicyDefault.
-	SeccompPolicyImage
-)
-
-// Map for easy lookups of supported policies.
-var supportedSeccompPolicies = map[string]SeccompPolicy{
-	"":        SeccompPolicyDefault,
-	"default": SeccompPolicyDefault,
-	"image":   SeccompPolicyImage,
-}
-
-// LookupSeccompPolicy looksup the corresponding SeccompPolicy for the specified
-// string. If none is found, an errors is returned including the list of
-// supported policies.
-// Note that an empty string resolved to SeccompPolicyDefault.
-func LookupSeccompPolicy(s string) (SeccompPolicy, error) {
-	policy, exists := supportedSeccompPolicies[s]
-	if exists {
-		return policy, nil
-	}
-
-	// Sort the keys first as maps are non-deterministic.
-	keys := []string{}
-	for k := range supportedSeccompPolicies {
-		if k != "" {
-			keys = append(keys, k)
-		}
-	}
-	sort.Strings(keys)
-
-	return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys)
-}
-
 // SecurityConfig configures the security features for the container
 type SecurityConfig struct {
 	CapAdd                  []string // cap-add
@@ -158,7 +116,7 @@ type SecurityConfig struct {
 	ApparmorProfile         string   //SecurityOpts
 	SeccompProfilePath      string   //SecurityOpts
 	SeccompProfileFromImage string   // seccomp profile from the container image
-	SeccompPolicy           SeccompPolicy
+	SeccompPolicy           seccomp.Policy
 	SecurityOpts            []string
 	Privileged              bool              //privileged
 	ReadOnlyRootfs          bool              //read-only