mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
97535c6c2b
This removes the dependency on the `pkg/parsers/kernel` package, because secomp only needs to consider Linux (and no parsing is needed for Windows or Darwin kernel versions). This patch implements the minimum requirements for this implementation: - only `kernel` and `major` versions are considered - `minor` version, `flavor`, and `-rcXX` suffixes are ignored So, for example: - `3.4.54.longterm-1` => `kernel: 3`, `major: 4` - `3.8.0-19-generic` => `kernel: 3`, `major: 8` - `3.10.0-862.2.3.el7.x86_64` => `kernel: 3`, `major: 10` Some systems also omit the `minor` and/or have odd-formatted versions. In context of generating seccomp profiles, both versions below are considered equal; - `3.12.25-gentoo` => `kernel: 3`, `major: 12` - `3.12-1-amd64` => `kernel: 3`, `major: 12` Note that `-rcX` suffixes are also not considered, and thus (e.g.) kernel `5.9-rc1`, `5.9-rc6` and `5.9` are all considered equal. The motivation for ignoring "minor" versions and "flavors" is that; - The upstream kernel only does "kernel.major" releases - While release-candidates exists for kernel (e.g. 5.9-rc5), we don't expect users to write profiles that target a specific release-candidate, and therefore consider (e.g.) kernel `5.9-rc1`, `5.9-rc6` and `5.9` to be equal. - Generally, a seccomp-profile should either be portable, or written for a specific infrastructure (in which case the writer of the profile would know if the kernel-flavors used does/does not support certain things. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
45 lines
1.8 KiB
Go
45 lines
1.8 KiB
Go
package seccomp // import "github.com/docker/docker/profiles/seccomp"
|
|
|
|
import "github.com/opencontainers/runtime-spec/specs-go"
|
|
|
|
// Seccomp represents the config for a seccomp profile for syscall restriction.
|
|
type Seccomp struct {
|
|
DefaultAction specs.LinuxSeccompAction `json:"defaultAction"`
|
|
// Architectures is kept to maintain backward compatibility with the old
|
|
// seccomp profile.
|
|
Architectures []specs.Arch `json:"architectures,omitempty"`
|
|
ArchMap []Architecture `json:"archMap,omitempty"`
|
|
Syscalls []*Syscall `json:"syscalls"`
|
|
}
|
|
|
|
// Architecture is used to represent a specific architecture
|
|
// and its sub-architectures
|
|
type Architecture struct {
|
|
Arch specs.Arch `json:"architecture"`
|
|
SubArches []specs.Arch `json:"subArchitectures"`
|
|
}
|
|
|
|
// Filter is used to conditionally apply Seccomp rules
|
|
type Filter struct {
|
|
Caps []string `json:"caps,omitempty"`
|
|
Arches []string `json:"arches,omitempty"`
|
|
|
|
// MinKernel describes the minimum kernel version the rule must be applied
|
|
// on, in the format "<kernel version>.<major revision>" (e.g. "3.12").
|
|
//
|
|
// When matching the kernel version of the host, minor revisions, and distro-
|
|
// specific suffixes are ignored, which means that "3.12.25-gentoo", "3.12-1-amd64",
|
|
// "3.12", and "3.12-rc5" are considered equal (kernel 3, major revision 12).
|
|
MinKernel string `json:"minKernel,omitempty"`
|
|
}
|
|
|
|
// Syscall is used to match a group of syscalls in Seccomp
|
|
type Syscall struct {
|
|
Name string `json:"name,omitempty"`
|
|
Names []string `json:"names,omitempty"`
|
|
Action specs.LinuxSeccompAction `json:"action"`
|
|
Args []*specs.LinuxSeccompArg `json:"args"`
|
|
Comment string `json:"comment"`
|
|
Includes Filter `json:"includes"`
|
|
Excludes Filter `json:"excludes"`
|
|
}
|