// +build linux package seccomp import ( "encoding/json" "fmt" "github.com/docker/engine-api/types" "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/seccomp" ) //go:generate go run -tags 'seccomp' generate.go // GetDefaultProfile returns the default seccomp profile. func GetDefaultProfile() (*configs.Seccomp, error) { return setupSeccomp(DefaultProfile) } // LoadProfile takes a file path a decodes the seccomp profile. func LoadProfile(body string) (*configs.Seccomp, error) { var config types.Seccomp if err := json.Unmarshal([]byte(body), &config); err != nil { return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err) } return setupSeccomp(&config) } func setupSeccomp(config *types.Seccomp) (newConfig *configs.Seccomp, err error) { if config == nil { return nil, nil } // No default action specified, no syscalls listed, assume seccomp disabled if config.DefaultAction == "" && len(config.Syscalls) == 0 { return nil, nil } newConfig = new(configs.Seccomp) newConfig.Syscalls = []*configs.Syscall{} // if config.Architectures == 0 then libseccomp will figure out the architecture to use if len(config.Architectures) > 0 { newConfig.Architectures = []string{} for _, arch := range config.Architectures { newArch, err := seccomp.ConvertStringToArch(string(arch)) if err != nil { return nil, err } newConfig.Architectures = append(newConfig.Architectures, newArch) } } // Convert default action from string representation newConfig.DefaultAction, err = seccomp.ConvertStringToAction(string(config.DefaultAction)) if err != nil { return nil, err } // Loop through all syscall blocks and convert them to libcontainer format for _, call := range config.Syscalls { newAction, err := seccomp.ConvertStringToAction(string(call.Action)) if err != nil { return nil, err } newCall := configs.Syscall{ Name: call.Name, Action: newAction, Args: []*configs.Arg{}, } // Loop through all the arguments of the syscall and convert them for _, arg := range call.Args { newOp, err := seccomp.ConvertStringToOperator(string(arg.Op)) if err != nil { return nil, err } newArg := configs.Arg{ Index: arg.Index, Value: arg.Value, ValueTwo: arg.ValueTwo, Op: newOp, } newCall.Args = append(newCall.Args, &newArg) } newConfig.Syscalls = append(newConfig.Syscalls, &newCall) } return newConfig, nil }