github.com/ncdc/docker@v0.10.1-0.20160129113957-6c6729ef5b74/profiles/seccomp/seccomp.go

github.com/ncdc/docker@v0.10.1-0.20160129113957-6c6729ef5b74/profiles/seccomp/seccomp.go (about)

     1  // +build linux
     2  
     3  package seccomp
     4  
     5  import (
     6  	"encoding/json"
     7  	"fmt"
     8  
     9  	"github.com/docker/engine-api/types"
    10  	"github.com/opencontainers/runc/libcontainer/configs"
    11  	"github.com/opencontainers/runc/libcontainer/seccomp"
    12  )
    13  
    14  // GetDefaultProfile returns the default seccomp profile.
    15  func GetDefaultProfile() *configs.Seccomp {
    16  	return defaultSeccompProfile
    17  }
    18  
    19  // LoadProfile takes a file path a decodes the seccomp profile.
    20  func LoadProfile(body string) (*configs.Seccomp, error) {
    21  	var config types.Seccomp
    22  	if err := json.Unmarshal([]byte(body), &config); err != nil {
    23  		return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)
    24  	}
    25  
    26  	return setupSeccomp(&config)
    27  }
    28  
    29  func setupSeccomp(config *types.Seccomp) (newConfig *configs.Seccomp, err error) {
    30  	if config == nil {
    31  		return nil, nil
    32  	}
    33  
    34  	// No default action specified, no syscalls listed, assume seccomp disabled
    35  	if config.DefaultAction == "" && len(config.Syscalls) == 0 {
    36  		return nil, nil
    37  	}
    38  
    39  	newConfig = new(configs.Seccomp)
    40  	newConfig.Syscalls = []*configs.Syscall{}
    41  
    42  	// if config.Architectures == 0 then libseccomp will figure out the architecture to use
    43  	if len(config.Architectures) > 0 {
    44  		newConfig.Architectures = []string{}
    45  		for _, arch := range config.Architectures {
    46  			newArch, err := seccomp.ConvertStringToArch(string(arch))
    47  			if err != nil {
    48  				return nil, err
    49  			}
    50  			newConfig.Architectures = append(newConfig.Architectures, newArch)
    51  		}
    52  	}
    53  
    54  	// Convert default action from string representation
    55  	newConfig.DefaultAction, err = seccomp.ConvertStringToAction(string(config.DefaultAction))
    56  	if err != nil {
    57  		return nil, err
    58  	}
    59  
    60  	// Loop through all syscall blocks and convert them to libcontainer format
    61  	for _, call := range config.Syscalls {
    62  		newAction, err := seccomp.ConvertStringToAction(string(call.Action))
    63  		if err != nil {
    64  			return nil, err
    65  		}
    66  
    67  		newCall := configs.Syscall{
    68  			Name:   call.Name,
    69  			Action: newAction,
    70  			Args:   []*configs.Arg{},
    71  		}
    72  
    73  		// Loop through all the arguments of the syscall and convert them
    74  		for _, arg := range call.Args {
    75  			newOp, err := seccomp.ConvertStringToOperator(string(arg.Op))
    76  			if err != nil {
    77  				return nil, err
    78  			}
    79  
    80  			newArg := configs.Arg{
    81  				Index:    arg.Index,
    82  				Value:    arg.Value,
    83  				ValueTwo: arg.ValueTwo,
    84  				Op:       newOp,
    85  			}
    86  
    87  			newCall.Args = append(newCall.Args, &newArg)
    88  		}
    89  
    90  		newConfig.Syscalls = append(newConfig.Syscalls, &newCall)
    91  	}
    92  
    93  	return newConfig, nil
    94  }