github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/libcontainer/seccomp/config.go

github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/libcontainer/seccomp/config.go (about)

     1  package seccomp
     2  
     3  import (
     4  	"fmt"
     5  	"sort"
     6  
     7  	"github.com/opencontainers/runc/libcontainer/configs"
     8  	"github.com/opencontainers/runtime-spec/specs-go"
     9  )
    10  
    11  // flagTsync is recognized but ignored by runc, and it is not defined
    12  // in the runtime-spec.
    13  const flagTsync = "SECCOMP_FILTER_FLAG_TSYNC"
    14  
    15  var operators = map[string]configs.Operator{
    16  	"SCMP_CMP_NE":        configs.NotEqualTo,
    17  	"SCMP_CMP_LT":        configs.LessThan,
    18  	"SCMP_CMP_LE":        configs.LessThanOrEqualTo,
    19  	"SCMP_CMP_EQ":        configs.EqualTo,
    20  	"SCMP_CMP_GE":        configs.GreaterThanOrEqualTo,
    21  	"SCMP_CMP_GT":        configs.GreaterThan,
    22  	"SCMP_CMP_MASKED_EQ": configs.MaskEqualTo,
    23  }
    24  
    25  // KnownOperators returns the list of the known operations.
    26  // Used by `runc features`.
    27  func KnownOperators() []string {
    28  	var res []string
    29  	for k := range operators {
    30  		res = append(res, k)
    31  	}
    32  	sort.Strings(res)
    33  	return res
    34  }
    35  
    36  var actions = map[string]configs.Action{
    37  	"SCMP_ACT_KILL":         configs.Kill,
    38  	"SCMP_ACT_ERRNO":        configs.Errno,
    39  	"SCMP_ACT_TRAP":         configs.Trap,
    40  	"SCMP_ACT_ALLOW":        configs.Allow,
    41  	"SCMP_ACT_TRACE":        configs.Trace,
    42  	"SCMP_ACT_LOG":          configs.Log,
    43  	"SCMP_ACT_NOTIFY":       configs.Notify,
    44  	"SCMP_ACT_KILL_THREAD":  configs.KillThread,
    45  	"SCMP_ACT_KILL_PROCESS": configs.KillProcess,
    46  }
    47  
    48  // KnownActions returns the list of the known actions.
    49  // Used by `runc features`.
    50  func KnownActions() []string {
    51  	var res []string
    52  	for k := range actions {
    53  		res = append(res, k)
    54  	}
    55  	sort.Strings(res)
    56  	return res
    57  }
    58  
    59  var archs = map[string]string{
    60  	"SCMP_ARCH_X86":         "x86",
    61  	"SCMP_ARCH_X86_64":      "amd64",
    62  	"SCMP_ARCH_X32":         "x32",
    63  	"SCMP_ARCH_ARM":         "arm",
    64  	"SCMP_ARCH_AARCH64":     "arm64",
    65  	"SCMP_ARCH_MIPS":        "mips",
    66  	"SCMP_ARCH_MIPS64":      "mips64",
    67  	"SCMP_ARCH_MIPS64N32":   "mips64n32",
    68  	"SCMP_ARCH_MIPSEL":      "mipsel",
    69  	"SCMP_ARCH_MIPSEL64":    "mipsel64",
    70  	"SCMP_ARCH_MIPSEL64N32": "mipsel64n32",
    71  	"SCMP_ARCH_PPC":         "ppc",
    72  	"SCMP_ARCH_PPC64":       "ppc64",
    73  	"SCMP_ARCH_PPC64LE":     "ppc64le",
    74  	"SCMP_ARCH_RISCV64":     "riscv64",
    75  	"SCMP_ARCH_S390":        "s390",
    76  	"SCMP_ARCH_S390X":       "s390x",
    77  }
    78  
    79  // KnownArchs returns the list of the known archs.
    80  // Used by `runc features`.
    81  func KnownArchs() []string {
    82  	var res []string
    83  	for k := range archs {
    84  		res = append(res, k)
    85  	}
    86  	sort.Strings(res)
    87  	return res
    88  }
    89  
    90  // ConvertStringToOperator converts a string into a Seccomp comparison operator.
    91  // Comparison operators use the names they are assigned by Libseccomp's header.
    92  // Attempting to convert a string that is not a valid operator results in an
    93  // error.
    94  func ConvertStringToOperator(in string) (configs.Operator, error) {
    95  	if op, ok := operators[in]; ok {
    96  		return op, nil
    97  	}
    98  	return 0, fmt.Errorf("string %s is not a valid operator for seccomp", in)
    99  }
   100  
   101  // ConvertStringToAction converts a string into a Seccomp rule match action.
   102  // Actions use the names they are assigned in Libseccomp's header.
   103  // Attempting to convert a string that is not a valid action results in an
   104  // error.
   105  func ConvertStringToAction(in string) (configs.Action, error) {
   106  	if act, ok := actions[in]; ok {
   107  		return act, nil
   108  	}
   109  	return 0, fmt.Errorf("string %s is not a valid action for seccomp", in)
   110  }
   111  
   112  // ConvertStringToArch converts a string into a Seccomp comparison arch.
   113  func ConvertStringToArch(in string) (string, error) {
   114  	if arch, ok := archs[in]; ok {
   115  		return arch, nil
   116  	}
   117  	return "", fmt.Errorf("string %s is not a valid arch for seccomp", in)
   118  }
   119  
   120  // List of flags known to this version of runc.
   121  var flags = []string{
   122  	flagTsync,
   123  	string(specs.LinuxSeccompFlagSpecAllow),
   124  	string(specs.LinuxSeccompFlagLog),
   125  }
   126  
   127  // KnownFlags returns the list of the known filter flags.
   128  // Used by `runc features`.
   129  func KnownFlags() []string {
   130  	return flags
   131  }
   132  
   133  // SupportedFlags returns the list of the supported filter flags.
   134  // This list may be a subset of one returned by KnownFlags due to
   135  // some flags not supported by the current kernel and/or libseccomp.
   136  // Used by `runc features`.
   137  func SupportedFlags() []string {
   138  	if !Enabled {
   139  		return nil
   140  	}
   141  
   142  	var res []string
   143  	for _, flag := range flags {
   144  		if FlagSupported(specs.LinuxSeccompFlag(flag)) == nil {
   145  			res = append(res, flag)
   146  		}
   147  	}
   148  
   149  	return res
   150  }