Merge pull request #42604 from kinvolk/rata/seccomp-new-fields
seccomp: Sync fields with runtime-spec fields
This commit is contained in:
Sebastiaan van Stijn
GitHub
commit
a2da507857
|
|
@ -11,7 +11,11 @@ import (
|
|||
|
||||
// Seccomp represents the config for a seccomp profile for syscall restriction.
|
||||
type Seccomp struct {
|
||||
DefaultAction specs.LinuxSeccompAction `json:"defaultAction"`
|
||||
DefaultAction specs.LinuxSeccompAction `json:"defaultAction"`
|
||||
DefaultErrnoRet *uint `json:"defaultErrnoRet,omitempty"`
|
||||
ListenerPath string `json:"listenerPath,omitempty"`
|
||||
ListenerMetadata string `json:"listenerMetadata,omitempty"`
|
||||
|
||||
// Architectures is kept to maintain backward compatibility with the old
|
||||
// seccomp profile.
|
||||
Architectures []specs.Arch `json:"architectures,omitempty"`
|
||||
|
|
|
|||
|
|
@ -107,6 +107,9 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error)
|
|||
}
|
||||
|
||||
newConfig.DefaultAction = config.DefaultAction
|
||||
newConfig.DefaultErrnoRet = config.DefaultErrnoRet
|
||||
newConfig.ListenerPath = config.ListenerPath
|
||||
newConfig.ListenerMetadata = config.ListenerMetadata
|
||||
|
||||
Loop:
|
||||
// Loop through all syscall blocks and convert them to libcontainer format after filtering them
|
||||
|
|
|
|||
|
|
@ -59,6 +59,47 @@ func TestLoadProfile(t *testing.T) {
|
|||
assert.DeepEqual(t, expected, *p)
|
||||
}
|
||||
|
||||
func TestLoadProfileWithDefaultErrnoRet(t *testing.T) {
|
||||
var profile = []byte(`{
|
||||
"defaultAction": "SCMP_ACT_ERRNO",
|
||||
"defaultErrnoRet": 6
|
||||
}`)
|
||||
rs := createSpec()
|
||||
p, err := LoadProfile(string(profile), &rs)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
expectedErrnoRet := uint(6)
|
||||
expected := specs.LinuxSeccomp{
|
||||
DefaultAction: "SCMP_ACT_ERRNO",
|
||||
DefaultErrnoRet: &expectedErrnoRet,
|
||||
}
|
||||
|
||||
assert.DeepEqual(t, expected, *p)
|
||||
}
|
||||
|
||||
func TestLoadProfileWithListenerPath(t *testing.T) {
|
||||
var profile = []byte(`{
|
||||
"defaultAction": "SCMP_ACT_ERRNO",
|
||||
"listenerPath": "/var/run/seccompaget.sock",
|
||||
"listenerMetadata": "opaque-metadata"
|
||||
}`)
|
||||
rs := createSpec()
|
||||
p, err := LoadProfile(string(profile), &rs)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
expected := specs.LinuxSeccomp{
|
||||
DefaultAction: "SCMP_ACT_ERRNO",
|
||||
ListenerPath: "/var/run/seccompaget.sock",
|
||||
ListenerMetadata: "opaque-metadata",
|
||||
}
|
||||
|
||||
assert.DeepEqual(t, expected, *p)
|
||||
}
|
||||
|
||||
// TestLoadLegacyProfile tests loading a seccomp profile in the old format
|
||||
// (before https://github.com/docker/docker/pull/24510)
|
||||
func TestLoadLegacyProfile(t *testing.T) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue