// +build linux package native import ( "encoding/json" "fmt" "io/ioutil" "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/seccomp" "github.com/opencontainers/specs" ) func getDefaultSeccompProfile() *configs.Seccomp { return defaultSeccompProfile } func loadSeccompProfile(path string) (*configs.Seccomp, error) { f, err := ioutil.ReadFile(path) if err != nil { return nil, fmt.Errorf("Opening seccomp profile failed: %v", err) } var config specs.Seccomp if err := json.Unmarshal(f, &config); err != nil { return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err) } return setupSeccomp(&config) } func setupSeccomp(config *specs.Seccomp) (newConfig *configs.Seccomp, err error) { if config == nil { return nil, nil } // No default action specified, no syscalls listed, assume seccomp disabled if config.DefaultAction == "" && len(config.Syscalls) == 0 { return nil, nil } newConfig = new(configs.Seccomp) newConfig.Syscalls = []*configs.Syscall{} // if config.Architectures == 0 then libseccomp will figure out the architecture to use if len(config.Architectures) > 0 { newConfig.Architectures = []string{} for _, arch := range config.Architectures { newArch, err := seccomp.ConvertStringToArch(string(arch)) if err != nil { return nil, err } newConfig.Architectures = append(newConfig.Architectures, newArch) } } // Convert default action from string representation newConfig.DefaultAction, err = seccomp.ConvertStringToAction(string(config.DefaultAction)) if err != nil { return nil, err } // Loop through all syscall blocks and convert them to libcontainer format for _, call := range config.Syscalls { newAction, err := seccomp.ConvertStringToAction(string(call.Action)) if err != nil { return nil, err } newCall := configs.Syscall{ Name: call.Name, Action: newAction, Args: []*configs.Arg{}, } // Loop through all the arguments of the syscall and convert them for _, arg := range call.Args { newOp, err := seccomp.ConvertStringToOperator(string(arg.Op)) if err != nil { return nil, err } newArg := configs.Arg{ Index: arg.Index, Value: arg.Value, ValueTwo: arg.ValueTwo, Op: newOp, } newCall.Args = append(newCall.Args, &newArg) } newConfig.Syscalls = append(newConfig.Syscalls, &newCall) } return newConfig, nil }