Merge pull request #20106 from jfrazelle/go-generate-json-default-profile

add default seccomp profile as json

Makefile

@@ -116,4 +116,4 @@ test-unit: build
 	$(DOCKER_RUN_DOCKER) hack/make.sh test-unit
 
 validate: build
-	$(DOCKER_RUN_DOCKER) hack/make.sh validate-dco validate-gofmt validate-pkg validate-lint validate-test validate-toml validate-vet validate-vendor
+	$(DOCKER_RUN_DOCKER) hack/make.sh validate-dco validate-default-seccomp validate-gofmt validate-pkg validate-lint validate-test validate-toml validate-vet validate-vendor

hack/make.sh

@@ -56,6 +56,7 @@ echo
 # List of bundles to create when no argument is passed
 DEFAULT_BUNDLES=(
 	validate-dco
+	validate-default-seccomp
 	validate-gofmt
 	validate-lint
 	validate-pkg

hack/make/validate-default-seccomp

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+source "${MAKEDIR}/.validate"
+
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- 'profiles/seccomp' || true) )
+unset IFS
+
+if [ ${#files[@]} -gt 0 ]; then
+	# We run vendor.sh to and see if we have a diff afterwards
+	go generate ./profiles/seccomp/ >/dev/null
+	# Let see if the working directory is clean
+	diffs="$(git status --porcelain -- profiles/seccomp 2>/dev/null)"
+	if [ "$diffs" ]; then
+		{
+			echo 'The result of go generate ./profiles/seccomp/ differs'
+			echo
+			echo "$diffs"
+			echo
+			echo 'Please re-run go generate ./profiles/seccomp/'
+			echo
+		} >&2
+		false
+	else
+		echo 'Congratulations! Seccomp profile generation is done correctly.'
+	fi
+fi

profiles/seccomp/generate.go

@@ -0,0 +1,35 @@
+// +build ignore
+
+package main
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/profiles/seccomp"
+)
+
+// saves the default seccomp profile as a json file so people can use it as a
+// base for their own custom profiles
+func main() {
+	wd, err := os.Getwd()
+	if err != nil {
+		panic(err)
+	}
+	f := filepath.Join(wd, "default.json")
+
+	// get the default profile
+	p := seccomp.GetDefaultProfile()
+
+	// write the default profile to the file
+	b, err := json.MarshalIndent(p, "", "\t")
+	if err != nil {
+		panic(err)
+	}
+
+	if err := ioutil.WriteFile(f, b, 0644); err != nil {
+		panic(err)
+	}
+}

profiles/seccomp/seccomp.go

@@ -11,9 +11,11 @@ import (
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 )
 
+//go:generate go run -tags 'seccomp' generate.go
+
 // GetDefaultProfile returns the default seccomp profile.
 func GetDefaultProfile() *configs.Seccomp {
-	return defaultSeccompProfile
+	return defaultProfile
 }
 
 // LoadProfile takes a file path a decodes the seccomp profile.

profiles/seccomp/seccomp_default.go

@@ -33,7 +33,8 @@ func arches() []string {
 	}
 }
 
-var defaultSeccompProfile = &configs.Seccomp{
+// defaultProfile defines the whitelist for the default seccomp profile.
+var defaultProfile = &configs.Seccomp{
 	DefaultAction: configs.Errno,
 	Architectures: arches(),
 	Syscalls: []*configs.Syscall{

profiles/seccomp/seccomp_unsupported.go

@@ -5,5 +5,6 @@ package seccomp
 import "github.com/opencontainers/runc/libcontainer/configs"
 
 var (
-	defaultSeccompProfile *configs.Seccomp
+	// defaultProfile is a nil pointer on unsupported systems.
+	defaultProfile *configs.Seccomp
 )