From e76380b67bcdeb289af66ec5d6412ea85063fc04 Mon Sep 17 00:00:00 2001
From: Tonis Tiigi <tonistiigi@gmail.com>
Date: Tue, 5 Feb 2019 11:31:44 -0800
Subject: [PATCH] seccomp: review update

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
---
 profiles/seccomp/default.json       |  2 +-
 profiles/seccomp/seccomp.go         | 31 +++++++++++++++--------------
 profiles/seccomp/seccomp_default.go |  2 +-
 3 files changed, 18 insertions(+), 17 deletions(-)

diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index 3aa42f4253..7a3a99ae11 100755
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -374,7 +374,7 @@
 			"args": null,
 			"comment": "",
 			"includes": {
-				"minKernel": "4.8.0"
+				"minKernel": "4.8"
 			},
 			"excludes": {}
 		},
diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go
index 589a6f4b16..9f222a6eec 100644
--- a/profiles/seccomp/seccomp.go
+++ b/profiles/seccomp/seccomp.go
@@ -96,21 +96,6 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e
 
 	newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)
 
-	var currentKernelVersion *kernel.VersionInfo
-	kernelGreaterEqualThan := func(v string) (bool, error) {
-		version, err := kernel.ParseRelease(v)
-		if err != nil {
-			return false, err
-		}
-		if currentKernelVersion == nil {
-			currentKernelVersion, err = kernel.GetKernelVersion()
-			if err != nil {
-				return false, err
-			}
-		}
-		return kernel.CompareKernelVersion(*version, *currentKernelVersion) <= 0, nil
-	}
-
 Loop:
 	// Loop through all syscall blocks and convert them to libcontainer format after filtering them
 	for _, call := range config.Syscalls {
@@ -188,3 +173,19 @@ func createSpecsSyscall(name string, action types.Action, args []*types.Arg) spe
 	}
 	return newCall
 }
+
+var currentKernelVersion *kernel.VersionInfo
+
+func kernelGreaterEqualThan(v string) (bool, error) {
+	version, err := kernel.ParseRelease(v)
+	if err != nil {
+		return false, err
+	}
+	if currentKernelVersion == nil {
+		currentKernelVersion, err = kernel.GetKernelVersion()
+		if err != nil {
+			return false, err
+		}
+	}
+	return kernel.CompareKernelVersion(*version, *currentKernelVersion) <= 0, nil
+}
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
index 709f553824..0776749405 100644
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@@ -360,7 +360,7 @@ func DefaultProfile() *types.Seccomp {
 			Names:  []string{"ptrace"},
 			Action: types.ActAllow,
 			Includes: types.Filter{
-				MinKernel: "4.8.0",
+				MinKernel: "4.8",
 			},
 		},
 		{