3 files changed, 0 insertions, 278 deletions
diff --git a/server/seccomp/seccomp.go b/server/seccomp/seccomp.go
deleted file mode 100644
index cf77c8274..000000000
--- a/server/seccomp/seccomp.go
+++ /dev/null
@@ -1,165 +0,0 @@
-// +build seccomp
-
-package seccomp
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-
-	"github.com/docker/docker/pkg/stringutils"
-	specs "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/opencontainers/runtime-tools/generate"
-	libseccomp "github.com/seccomp/libseccomp-golang"
-	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
-)
-
-// IsEnabled returns true if seccomp is enabled for the host.
-func IsEnabled() bool {
-	enabled := false
-	// Check if Seccomp is supported, via CONFIG_SECCOMP.
-	if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
-		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
-		if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
-			enabled = true
-		}
-	}
-	logrus.Debugf("seccomp status: %v", enabled)
-	return enabled
-}
-
-// LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec.
-func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error {
-	return setupSeccomp(&config, specgen)
-}
-
-// LoadProfileFromBytes takes a byte slice and decodes the seccomp profile.
-func LoadProfileFromBytes(body []byte, specgen *generate.Generator) error {
-	var config Seccomp
-	if err := json.Unmarshal(body, &config); err != nil {
-		return fmt.Errorf("decoding seccomp profile failed: %v", err)
-	}
-	return setupSeccomp(&config, specgen)
-}
-
-var nativeToSeccomp = map[string]Arch{
-	"amd64":       ArchX86_64,
-	"arm64":       ArchAARCH64,
-	"mips64":      ArchMIPS64,
-	"mips64n32":   ArchMIPS64N32,
-	"mipsel64":    ArchMIPSEL64,
-	"mipsel64n32": ArchMIPSEL64N32,
-	"s390x":       ArchS390X,
-}
-
-func setupSeccomp(config *Seccomp, specgen *generate.Generator) error {
-	if config == nil {
-		return nil
-	}
-
-	// No default action specified, no syscalls listed, assume seccomp disabled
-	if config.DefaultAction == "" && len(config.Syscalls) == 0 {
-		return nil
-	}
-
-	var arch string
-	var native, err = libseccomp.GetNativeArch()
-	if err == nil {
-		arch = native.String()
-	}
-
-	if len(config.Architectures) != 0 && len(config.ArchMap) != 0 {
-		return errors.New("'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'")
-	}
-
-	customspec := specgen.Spec()
-	customspec.Linux.Seccomp = &specs.LinuxSeccomp{}
-
-	// if config.Architectures == 0 then libseccomp will figure out the architecture to use
-	if len(config.Architectures) != 0 {
-		for _, a := range config.Architectures {
-			customspec.Linux.Seccomp.Architectures = append(customspec.Linux.Seccomp.Architectures, specs.Arch(a))
-		}
-	}
-
-	if len(config.ArchMap) != 0 {
-		for _, a := range config.ArchMap {
-			seccompArch, ok := nativeToSeccomp[arch]
-			if ok {
-				if a.Arch == seccompArch {
-					customspec.Linux.Seccomp.Architectures = append(customspec.Linux.Seccomp.Architectures, specs.Arch(a.Arch))
-					for _, sa := range a.SubArches {
-						customspec.Linux.Seccomp.Architectures = append(customspec.Linux.Seccomp.Architectures, specs.Arch(sa))
-					}
-					break
-				}
-			}
-		}
-	}
-
-	customspec.Linux.Seccomp.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)
-
-Loop:
-	// Loop through all syscall blocks and convert them to libcontainer format after filtering them
-	for _, call := range config.Syscalls {
-		if len(call.Excludes.Arches) > 0 {
-			if stringutils.InSlice(call.Excludes.Arches, arch) {
-				continue Loop
-			}
-		}
-		if len(call.Excludes.Caps) > 0 {
-			for _, c := range call.Excludes.Caps {
-				if stringutils.InSlice(customspec.Process.Capabilities.Permitted, c) {
-					continue Loop
-				}
-			}
-		}
-		if len(call.Includes.Arches) > 0 {
-			if !stringutils.InSlice(call.Includes.Arches, arch) {
-				continue Loop
-			}
-		}
-		if len(call.Includes.Caps) > 0 {
-			for _, c := range call.Includes.Caps {
-				if !stringutils.InSlice(customspec.Process.Capabilities.Permitted, c) {
-					continue Loop
-				}
-			}
-		}
-
-		if call.Name != "" && len(call.Names) != 0 {
-			return errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
-		}
-
-		if call.Name != "" {
-			customspec.Linux.Seccomp.Syscalls = append(customspec.Linux.Seccomp.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args))
-		}
-
-		for _, n := range call.Names {
-			customspec.Linux.Seccomp.Syscalls = append(customspec.Linux.Seccomp.Syscalls, createSpecsSyscall(n, call.Action, call.Args))
-		}
-	}
-
-	return nil
-}
-
-func createSpecsSyscall(name string, action Action, args []*Arg) specs.LinuxSyscall {
-	newCall := specs.LinuxSyscall{
-		Names:  []string{name},
-		Action: specs.LinuxSeccompAction(action),
-	}
-
-	// Loop through all the arguments of the syscall and convert them
-	for _, arg := range args {
-		newArg := specs.LinuxSeccompArg{
-			Index:    arg.Index,
-			Value:    arg.Value,
-			ValueTwo: arg.ValueTwo,
-			Op:       specs.LinuxSeccompOperator(arg.Op),
-		}
-
-		newCall.Args = append(newCall.Args, newArg)
-	}
-	return newCall
-}
diff --git a/server/seccomp/seccomp_unsupported.go b/server/seccomp/seccomp_unsupported.go
deleted file mode 100644
index efb36bdf9..000000000
--- a/server/seccomp/seccomp_unsupported.go
+++ /dev/null
@@ -1,20 +0,0 @@
-// +build !seccomp
-
-package seccomp
-
-import "github.com/opencontainers/runtime-tools/generate"
-
-// IsEnabled returns false, when build without seccomp build tag.
-func IsEnabled() bool {
-	return false
-}
-
-// LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec.
-func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error {
-	return nil
-}
-
-// LoadProfileFromBytes takes a byte slice and decodes the seccomp profile.
-func LoadProfileFromBytes(body []byte, specgen *generate.Generator) error {
-	return nil
-}
diff --git a/server/seccomp/types.go b/server/seccomp/types.go
deleted file mode 100644
index 5b07f8c03..000000000
--- a/server/seccomp/types.go
+++ /dev/null
@@ -1,93 +0,0 @@
-package seccomp
-
-// Seccomp represents the config for a seccomp profile for syscall restriction.
-type Seccomp struct {
-	DefaultAction Action `json:"defaultAction"`
-	// Architectures is kept to maintain backward compatibility with the old
-	// seccomp profile.
-	Architectures []Arch         `json:"architectures,omitempty"`
-	ArchMap       []Architecture `json:"archMap,omitempty"`
-	Syscalls      []*Syscall     `json:"syscalls"`
-}
-
-// Architecture is used to represent an specific architecture
-// and its sub-architectures
-type Architecture struct {
-	Arch      Arch   `json:"architecture"`
-	SubArches []Arch `json:"subArchitectures"`
-}
-
-// Arch used for architectures
-type Arch string
-
-// Additional architectures permitted to be used for system calls
-// By default only the native architecture of the kernel is permitted
-const (
-	ArchX86         Arch = "SCMP_ARCH_X86"
-	ArchX86_64      Arch = "SCMP_ARCH_X86_64"
-	ArchX32         Arch = "SCMP_ARCH_X32"
-	ArchARM         Arch = "SCMP_ARCH_ARM"
-	ArchAARCH64     Arch = "SCMP_ARCH_AARCH64"
-	ArchMIPS        Arch = "SCMP_ARCH_MIPS"
-	ArchMIPS64      Arch = "SCMP_ARCH_MIPS64"
-	ArchMIPS64N32   Arch = "SCMP_ARCH_MIPS64N32"
-	ArchMIPSEL      Arch = "SCMP_ARCH_MIPSEL"
-	ArchMIPSEL64    Arch = "SCMP_ARCH_MIPSEL64"
-	ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
-	ArchPPC         Arch = "SCMP_ARCH_PPC"
-	ArchPPC64       Arch = "SCMP_ARCH_PPC64"
-	ArchPPC64LE     Arch = "SCMP_ARCH_PPC64LE"
-	ArchS390        Arch = "SCMP_ARCH_S390"
-	ArchS390X       Arch = "SCMP_ARCH_S390X"
-)
-
-// Action taken upon Seccomp rule match
-type Action string
-
-// Define actions for Seccomp rules
-const (
-	ActKill  Action = "SCMP_ACT_KILL"
-	ActTrap  Action = "SCMP_ACT_TRAP"
-	ActErrno Action = "SCMP_ACT_ERRNO"
-	ActTrace Action = "SCMP_ACT_TRACE"
-	ActAllow Action = "SCMP_ACT_ALLOW"
-)
-
-// Operator used to match syscall arguments in Seccomp
-type Operator string
-
-// Define operators for syscall arguments in Seccomp
-const (
-	OpNotEqual     Operator = "SCMP_CMP_NE"
-	OpLessThan     Operator = "SCMP_CMP_LT"
-	OpLessEqual    Operator = "SCMP_CMP_LE"
-	OpEqualTo      Operator = "SCMP_CMP_EQ"
-	OpGreaterEqual Operator = "SCMP_CMP_GE"
-	OpGreaterThan  Operator = "SCMP_CMP_GT"
-	OpMaskedEqual  Operator = "SCMP_CMP_MASKED_EQ"
-)
-
-// Arg used for matching specific syscall arguments in Seccomp
-type Arg struct {
-	Index    uint     `json:"index"`
-	Value    uint64   `json:"value"`
-	ValueTwo uint64   `json:"valueTwo"`
-	Op       Operator `json:"op"`
-}
-
-// Filter is used to conditionally apply Seccomp rules
-type Filter struct {
-	Caps   []string `json:"caps,omitempty"`
-	Arches []string `json:"arches,omitempty"`
-}
-
-// Syscall is used to match a group of syscalls in Seccomp
-type Syscall struct {
-	Name     string   `json:"name,omitempty"`
-	Names    []string `json:"names,omitempty"`
-	Action   Action   `json:"action"`
-	Args     []*Arg   `json:"args"`
-	Comment  string   `json:"comment"`
-	Includes Filter   `json:"includes"`
-	Excludes Filter   `json:"excludes"`
-}