Remove dependency in dockerd on libseccomp
This was just using libseccomp to get the right arch, but we can use GOARCH to get this. The nativeToSeccomp map needed to be adjusted a bit for mipsle vs mipsel since that's go how refers to it. Also added some other arches to it. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This commit is contained in:
parent
ae0ef82b90
commit
ccbb00c815
|
@ -1,4 +1,4 @@
|
||||||
// +build linux,seccomp
|
// +build seccomp
|
||||||
|
|
||||||
package seccomp // import "github.com/docker/docker/profiles/seccomp"
|
package seccomp // import "github.com/docker/docker/profiles/seccomp"
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
// +build linux
|
//go:generate go run -tags 'seccomp' generate.go
|
||||||
|
|
||||||
package seccomp // import "github.com/docker/docker/profiles/seccomp"
|
package seccomp // import "github.com/docker/docker/profiles/seccomp"
|
||||||
|
|
||||||
|
@ -6,15 +6,13 @@ import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"runtime"
|
||||||
|
|
||||||
"github.com/docker/docker/api/types"
|
"github.com/docker/docker/api/types"
|
||||||
"github.com/docker/docker/pkg/parsers/kernel"
|
"github.com/docker/docker/pkg/parsers/kernel"
|
||||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||||
libseccomp "github.com/seccomp/libseccomp-golang"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
//go:generate go run -tags 'seccomp' generate.go
|
|
||||||
|
|
||||||
// GetDefaultProfile returns the default seccomp profile.
|
// GetDefaultProfile returns the default seccomp profile.
|
||||||
func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
|
func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
|
||||||
return setupSeccomp(DefaultProfile(), rs)
|
return setupSeccomp(DefaultProfile(), rs)
|
||||||
|
@ -29,16 +27,42 @@ func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
|
||||||
return setupSeccomp(&config, rs)
|
return setupSeccomp(&config, rs)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// libseccomp string => seccomp arch
|
||||||
var nativeToSeccomp = map[string]types.Arch{
|
var nativeToSeccomp = map[string]types.Arch{
|
||||||
|
"x86": types.ArchX86,
|
||||||
"amd64": types.ArchX86_64,
|
"amd64": types.ArchX86_64,
|
||||||
|
"arm": types.ArchARM,
|
||||||
"arm64": types.ArchAARCH64,
|
"arm64": types.ArchAARCH64,
|
||||||
"mips64": types.ArchMIPS64,
|
"mips64": types.ArchMIPS64,
|
||||||
"mips64n32": types.ArchMIPS64N32,
|
"mips64n32": types.ArchMIPS64N32,
|
||||||
"mipsel64": types.ArchMIPSEL64,
|
"mipsel64": types.ArchMIPSEL64,
|
||||||
"mipsel64n32": types.ArchMIPSEL64N32,
|
"mips3l64n32": types.ArchMIPSEL64N32,
|
||||||
|
"mipsle": types.ArchMIPSEL,
|
||||||
|
"ppc": types.ArchPPC,
|
||||||
|
"ppc64": types.ArchPPC64,
|
||||||
|
"ppc64le": types.ArchPPC64LE,
|
||||||
|
"s390": types.ArchS390,
|
||||||
"s390x": types.ArchS390X,
|
"s390x": types.ArchS390X,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GOARCH => libseccomp string
|
||||||
|
var goToNative = map[string]string{
|
||||||
|
"386": "x86",
|
||||||
|
"amd64": "amd64",
|
||||||
|
"arm": "arm",
|
||||||
|
"arm64": "arm64",
|
||||||
|
"mips64": "mips64",
|
||||||
|
"mips64p32": "mips64n32",
|
||||||
|
"mips64le": "mipsel64",
|
||||||
|
"mips64p32le": "mips3l64n32",
|
||||||
|
"mipsle": "mipsel",
|
||||||
|
"ppc": "ppc",
|
||||||
|
"ppc64": "ppc64",
|
||||||
|
"ppc64le": "ppc64le",
|
||||||
|
"s390": "s390",
|
||||||
|
"s390x": "s390x",
|
||||||
|
}
|
||||||
|
|
||||||
// inSlice tests whether a string is contained in a slice of strings or not.
|
// inSlice tests whether a string is contained in a slice of strings or not.
|
||||||
// Comparison is case sensitive
|
// Comparison is case sensitive
|
||||||
func inSlice(slice []string, s string) bool {
|
func inSlice(slice []string, s string) bool {
|
||||||
|
@ -62,12 +86,6 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e
|
||||||
|
|
||||||
newConfig := &specs.LinuxSeccomp{}
|
newConfig := &specs.LinuxSeccomp{}
|
||||||
|
|
||||||
var arch string
|
|
||||||
var native, err = libseccomp.GetNativeArch()
|
|
||||||
if err == nil {
|
|
||||||
arch = native.String()
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(config.Architectures) != 0 && len(config.ArchMap) != 0 {
|
if len(config.Architectures) != 0 && len(config.ArchMap) != 0 {
|
||||||
return nil, errors.New("'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'")
|
return nil, errors.New("'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'")
|
||||||
}
|
}
|
||||||
|
@ -79,17 +97,17 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(config.ArchMap) != 0 {
|
arch := goToNative[runtime.GOARCH]
|
||||||
|
seccompArch, archExists := nativeToSeccomp[arch]
|
||||||
|
|
||||||
|
if len(config.ArchMap) != 0 && archExists {
|
||||||
for _, a := range config.ArchMap {
|
for _, a := range config.ArchMap {
|
||||||
seccompArch, ok := nativeToSeccomp[arch]
|
if a.Arch == seccompArch {
|
||||||
if ok {
|
newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch))
|
||||||
if a.Arch == seccompArch {
|
for _, sa := range a.SubArches {
|
||||||
newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch))
|
newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa))
|
||||||
for _, sa := range a.SubArches {
|
|
||||||
newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa))
|
|
||||||
}
|
|
||||||
break
|
|
||||||
}
|
}
|
||||||
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
Loading…
Reference in New Issue