github.com/endocode/docker@v1.4.2-0.20160113120958-46eb4700391e/daemon/execdriver/native/seccomp.go

github.com/endocode/docker@v1.4.2-0.20160113120958-46eb4700391e/daemon/execdriver/native/seccomp.go (about)

     1  // +build linux
     2  
     3  package native
     4  
     5  import (
     6  	"encoding/json"
     7  	"fmt"
     8  
     9  	"github.com/docker/engine-api/types"
    10  	"github.com/opencontainers/runc/libcontainer/configs"
    11  	"github.com/opencontainers/runc/libcontainer/seccomp"
    12  )
    13  
    14  func getDefaultSeccompProfile() *configs.Seccomp {
    15  	return defaultSeccompProfile
    16  }
    17  
    18  func loadSeccompProfile(body string) (*configs.Seccomp, error) {
    19  	var config types.Seccomp
    20  	if err := json.Unmarshal([]byte(body), &config); err != nil {
    21  		return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)
    22  	}
    23  
    24  	return setupSeccomp(&config)
    25  }
    26  
    27  func setupSeccomp(config *types.Seccomp) (newConfig *configs.Seccomp, err error) {
    28  	if config == nil {
    29  		return nil, nil
    30  	}
    31  
    32  	// No default action specified, no syscalls listed, assume seccomp disabled
    33  	if config.DefaultAction == "" && len(config.Syscalls) == 0 {
    34  		return nil, nil
    35  	}
    36  
    37  	newConfig = new(configs.Seccomp)
    38  	newConfig.Syscalls = []*configs.Syscall{}
    39  
    40  	// if config.Architectures == 0 then libseccomp will figure out the architecture to use
    41  	if len(config.Architectures) > 0 {
    42  		newConfig.Architectures = []string{}
    43  		for _, arch := range config.Architectures {
    44  			newArch, err := seccomp.ConvertStringToArch(string(arch))
    45  			if err != nil {
    46  				return nil, err
    47  			}
    48  			newConfig.Architectures = append(newConfig.Architectures, newArch)
    49  		}
    50  	}
    51  
    52  	// Convert default action from string representation
    53  	newConfig.DefaultAction, err = seccomp.ConvertStringToAction(string(config.DefaultAction))
    54  	if err != nil {
    55  		return nil, err
    56  	}
    57  
    58  	// Loop through all syscall blocks and convert them to libcontainer format
    59  	for _, call := range config.Syscalls {
    60  		newAction, err := seccomp.ConvertStringToAction(string(call.Action))
    61  		if err != nil {
    62  			return nil, err
    63  		}
    64  
    65  		newCall := configs.Syscall{
    66  			Name:   call.Name,
    67  			Action: newAction,
    68  			Args:   []*configs.Arg{},
    69  		}
    70  
    71  		// Loop through all the arguments of the syscall and convert them
    72  		for _, arg := range call.Args {
    73  			newOp, err := seccomp.ConvertStringToOperator(string(arg.Op))
    74  			if err != nil {
    75  				return nil, err
    76  			}
    77  
    78  			newArg := configs.Arg{
    79  				Index:    arg.Index,
    80  				Value:    arg.Value,
    81  				ValueTwo: arg.ValueTwo,
    82  				Op:       newOp,
    83  			}
    84  
    85  			newCall.Args = append(newCall.Args, &newArg)
    86  		}
    87  
    88  		newConfig.Syscalls = append(newConfig.Syscalls, &newCall)
    89  	}
    90  
    91  	return newConfig, nil
    92  }