github.com/ncdc/docker@v0.10.1-0.20160129113957-6c6729ef5b74/profiles/seccomp/seccomp.go (about) 1 // +build linux 2 3 package seccomp 4 5 import ( 6 "encoding/json" 7 "fmt" 8 9 "github.com/docker/engine-api/types" 10 "github.com/opencontainers/runc/libcontainer/configs" 11 "github.com/opencontainers/runc/libcontainer/seccomp" 12 ) 13 14 // GetDefaultProfile returns the default seccomp profile. 15 func GetDefaultProfile() *configs.Seccomp { 16 return defaultSeccompProfile 17 } 18 19 // LoadProfile takes a file path a decodes the seccomp profile. 20 func LoadProfile(body string) (*configs.Seccomp, error) { 21 var config types.Seccomp 22 if err := json.Unmarshal([]byte(body), &config); err != nil { 23 return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err) 24 } 25 26 return setupSeccomp(&config) 27 } 28 29 func setupSeccomp(config *types.Seccomp) (newConfig *configs.Seccomp, err error) { 30 if config == nil { 31 return nil, nil 32 } 33 34 // No default action specified, no syscalls listed, assume seccomp disabled 35 if config.DefaultAction == "" && len(config.Syscalls) == 0 { 36 return nil, nil 37 } 38 39 newConfig = new(configs.Seccomp) 40 newConfig.Syscalls = []*configs.Syscall{} 41 42 // if config.Architectures == 0 then libseccomp will figure out the architecture to use 43 if len(config.Architectures) > 0 { 44 newConfig.Architectures = []string{} 45 for _, arch := range config.Architectures { 46 newArch, err := seccomp.ConvertStringToArch(string(arch)) 47 if err != nil { 48 return nil, err 49 } 50 newConfig.Architectures = append(newConfig.Architectures, newArch) 51 } 52 } 53 54 // Convert default action from string representation 55 newConfig.DefaultAction, err = seccomp.ConvertStringToAction(string(config.DefaultAction)) 56 if err != nil { 57 return nil, err 58 } 59 60 // Loop through all syscall blocks and convert them to libcontainer format 61 for _, call := range config.Syscalls { 62 newAction, err := seccomp.ConvertStringToAction(string(call.Action)) 63 if err != nil { 64 return nil, err 65 } 66 67 newCall := configs.Syscall{ 68 Name: call.Name, 69 Action: newAction, 70 Args: []*configs.Arg{}, 71 } 72 73 // Loop through all the arguments of the syscall and convert them 74 for _, arg := range call.Args { 75 newOp, err := seccomp.ConvertStringToOperator(string(arg.Op)) 76 if err != nil { 77 return nil, err 78 } 79 80 newArg := configs.Arg{ 81 Index: arg.Index, 82 Value: arg.Value, 83 ValueTwo: arg.ValueTwo, 84 Op: newOp, 85 } 86 87 newCall.Args = append(newCall.Args, &newArg) 88 } 89 90 newConfig.Syscalls = append(newConfig.Syscalls, &newCall) 91 } 92 93 return newConfig, nil 94 }