From bed0bb7d017bb4a8400ac2c031dc74cd74240bfb Mon Sep 17 00:00:00 2001 From: Jessica Frazelle Date: Tue, 19 Jan 2016 14:57:03 -0800 Subject: [PATCH] move default seccomp profile into package Signed-off-by: Jessica Frazelle --- daemon/execdriver/native/create.go | 5 ++-- profiles/seccomp/fixtures/example.json | 27 +++++++++++++++++++ .../native => profiles/seccomp}/seccomp.go | 8 +++--- .../seccomp}/seccomp_default.go | 2 +- profiles/seccomp/seccomp_test.go | 19 +++++++++++++ .../seccomp}/seccomp_unsupported.go | 2 +- 6 files changed, 56 insertions(+), 7 deletions(-) create mode 100755 profiles/seccomp/fixtures/example.json rename {daemon/execdriver/native => profiles/seccomp}/seccomp.go (90%) rename {daemon/execdriver/native => profiles/seccomp}/seccomp_default.go (99%) create mode 100644 profiles/seccomp/seccomp_test.go rename {daemon/execdriver/native => profiles/seccomp}/seccomp_unsupported.go (89%) diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go index 4f97ed93f8..3cb48b41fa 100644 --- a/daemon/execdriver/native/create.go +++ b/daemon/execdriver/native/create.go @@ -11,6 +11,7 @@ import ( "github.com/docker/docker/daemon/execdriver" derr "github.com/docker/docker/errors" "github.com/docker/docker/pkg/mount" + "github.com/docker/docker/profiles/seccomp" "github.com/docker/docker/volume" "github.com/opencontainers/runc/libcontainer/apparmor" @@ -71,7 +72,7 @@ func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks) } if c.SeccompProfile == "" { - container.Seccomp = getDefaultSeccompProfile() + container.Seccomp = seccomp.GetDefaultProfile() } } // add CAP_ prefix to all caps for new libcontainer update to match @@ -88,7 +89,7 @@ func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks) } if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" { - container.Seccomp, err = loadSeccompProfile(c.SeccompProfile) + container.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile) if err != nil { return nil, err } diff --git a/profiles/seccomp/fixtures/example.json b/profiles/seccomp/fixtures/example.json new file mode 100755 index 0000000000..674ca50fd9 --- /dev/null +++ b/profiles/seccomp/fixtures/example.json @@ -0,0 +1,27 @@ +{ + "defaultAction": "SCMP_ACT_ERRNO", + "syscalls": [ + { + "name": "clone", + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 2080505856, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ] + }, + { + "name": "open", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "close", + "action": "SCMP_ACT_ALLOW", + "args": [] + } + ] +} diff --git a/daemon/execdriver/native/seccomp.go b/profiles/seccomp/seccomp.go similarity index 90% rename from daemon/execdriver/native/seccomp.go rename to profiles/seccomp/seccomp.go index 8263012341..fbc0307bc3 100644 --- a/daemon/execdriver/native/seccomp.go +++ b/profiles/seccomp/seccomp.go @@ -1,6 +1,6 @@ // +build linux -package native +package seccomp import ( "encoding/json" @@ -11,11 +11,13 @@ import ( "github.com/opencontainers/runc/libcontainer/seccomp" ) -func getDefaultSeccompProfile() *configs.Seccomp { +// GetDefaultProfile returns the default seccomp profile. +func GetDefaultProfile() *configs.Seccomp { return defaultSeccompProfile } -func loadSeccompProfile(body string) (*configs.Seccomp, error) { +// LoadProfile takes a file path a decodes the seccomp profile. +func LoadProfile(body string) (*configs.Seccomp, error) { var config types.Seccomp if err := json.Unmarshal([]byte(body), &config); err != nil { return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err) diff --git a/daemon/execdriver/native/seccomp_default.go b/profiles/seccomp/seccomp_default.go similarity index 99% rename from daemon/execdriver/native/seccomp_default.go rename to profiles/seccomp/seccomp_default.go index a3b4028359..1150ee8feb 100644 --- a/daemon/execdriver/native/seccomp_default.go +++ b/profiles/seccomp/seccomp_default.go @@ -1,6 +1,6 @@ // +build linux,seccomp -package native +package seccomp import ( "syscall" diff --git a/profiles/seccomp/seccomp_test.go b/profiles/seccomp/seccomp_test.go new file mode 100644 index 0000000000..11df61e94d --- /dev/null +++ b/profiles/seccomp/seccomp_test.go @@ -0,0 +1,19 @@ +// +build linux + +package seccomp + +import ( + "io/ioutil" + "testing" +) + +func TestLoadProfile(t *testing.T) { + f, err := ioutil.ReadFile("fixtures/example.json") + if err != nil { + t.Fatal(err) + } + + if _, err := LoadProfile(string(f)); err != nil { + t.Fatal(err) + } +} diff --git a/daemon/execdriver/native/seccomp_unsupported.go b/profiles/seccomp/seccomp_unsupported.go similarity index 89% rename from daemon/execdriver/native/seccomp_unsupported.go rename to profiles/seccomp/seccomp_unsupported.go index b0173ecfae..47e386a7d6 100644 --- a/daemon/execdriver/native/seccomp_unsupported.go +++ b/profiles/seccomp/seccomp_unsupported.go @@ -1,6 +1,6 @@ // +build linux,!seccomp -package native +package seccomp import "github.com/opencontainers/runc/libcontainer/configs"