github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/engine/profiles/seccomp/seccomp.go (about) 1 package seccomp // import "github.com/docker/docker/profiles/seccomp" 2 3 import ( 4 "encoding/json" 5 "fmt" 6 "strconv" 7 "strings" 8 9 "github.com/opencontainers/runtime-spec/specs-go" 10 ) 11 12 // Seccomp represents the config for a seccomp profile for syscall restriction. 13 type Seccomp struct { 14 DefaultAction specs.LinuxSeccompAction `json:"defaultAction"` 15 // Architectures is kept to maintain backward compatibility with the old 16 // seccomp profile. 17 Architectures []specs.Arch `json:"architectures,omitempty"` 18 ArchMap []Architecture `json:"archMap,omitempty"` 19 Syscalls []*Syscall `json:"syscalls"` 20 } 21 22 // Architecture is used to represent a specific architecture 23 // and its sub-architectures 24 type Architecture struct { 25 Arch specs.Arch `json:"architecture"` 26 SubArches []specs.Arch `json:"subArchitectures"` 27 } 28 29 // Filter is used to conditionally apply Seccomp rules 30 type Filter struct { 31 Caps []string `json:"caps,omitempty"` 32 Arches []string `json:"arches,omitempty"` 33 34 // MinKernel describes the minimum kernel version the rule must be applied 35 // on, in the format "<kernel version>.<major revision>" (e.g. "3.12"). 36 // 37 // When matching the kernel version of the host, minor revisions, and distro- 38 // specific suffixes are ignored, which means that "3.12.25-gentoo", "3.12-1-amd64", 39 // "3.12", and "3.12-rc5" are considered equal (kernel 3, major revision 12). 40 MinKernel *KernelVersion `json:"minKernel,omitempty"` 41 } 42 43 // Syscall is used to match a group of syscalls in Seccomp 44 type Syscall struct { 45 Name string `json:"name,omitempty"` 46 Names []string `json:"names,omitempty"` 47 Action specs.LinuxSeccompAction `json:"action"` 48 ErrnoRet *uint `json:"errnoRet,omitempty"` 49 Args []*specs.LinuxSeccompArg `json:"args"` 50 Comment string `json:"comment"` 51 Includes Filter `json:"includes"` 52 Excludes Filter `json:"excludes"` 53 } 54 55 // KernelVersion holds information about the kernel. 56 type KernelVersion struct { 57 Kernel uint64 // Version of the Kernel (i.e., the "4" in "4.1.2-generic") 58 Major uint64 // Major revision of the Kernel (i.e., the "1" in "4.1.2-generic") 59 } 60 61 // String implements fmt.Stringer for KernelVersion 62 func (k *KernelVersion) String() string { 63 if k.Kernel > 0 || k.Major > 0 { 64 return fmt.Sprintf("%d.%d", k.Kernel, k.Major) 65 } 66 return "" 67 } 68 69 // MarshalJSON implements json.Unmarshaler for KernelVersion 70 func (k *KernelVersion) MarshalJSON() ([]byte, error) { 71 return json.Marshal(k.String()) 72 } 73 74 // UnmarshalJSON implements json.Marshaler for KernelVersion 75 func (k *KernelVersion) UnmarshalJSON(version []byte) error { 76 var ( 77 ver string 78 err error 79 ) 80 81 // make sure we have a string 82 if err = json.Unmarshal(version, &ver); err != nil { 83 return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>": %v`, string(version), err) 84 } 85 if ver == "" { 86 return nil 87 } 88 parts := strings.SplitN(ver, ".", 3) 89 if len(parts) != 2 { 90 return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>"`, string(version)) 91 } 92 if k.Kernel, err = strconv.ParseUint(parts[0], 10, 8); err != nil { 93 return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>": %v`, string(version), err) 94 } 95 if k.Major, err = strconv.ParseUint(parts[1], 10, 8); err != nil { 96 return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>": %v`, string(version), err) 97 } 98 if k.Kernel == 0 && k.Major == 0 { 99 return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>": version cannot be 0.0`, string(version)) 100 } 101 return nil 102 }