improve seccomp format to be more expressive

Signed-off-by: grantseltzer <grantseltzer@gmail.com>
opencontainers · Feb 6, 2017 · 20d712a · 20d712a
1 parent 5398f4e
commit 20d712a
Showing 1 changed file with 41 additions and 10 deletions.
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -365,13 +365,6 @@ type LinuxDeviceCgroup struct {
 	Access string `json:"access,omitempty"`
 }
 
-// LinuxSeccomp represents syscall restrictions
-type LinuxSeccomp struct {
-	DefaultAction LinuxSeccompAction `json:"defaultAction"`
-	Architectures []Arch             `json:"architectures"`
-	Syscalls      []LinuxSyscall     `json:"syscalls,omitempty"`
-}
-
 // Solaris contains platform specific configuration for Solaris application containers.
 type Solaris struct {
 	// SMF FMRI which should go "online" before we start the container process.
@@ -469,6 +462,23 @@ type WindowsNetworkResources struct {
 	EgressBandwidth *uint64 `json:"egressBandwidth,omitempty"`
 }
 
+// LinuxSeccomp represents syscall restrictions
+type LinuxSeccomp struct {
+	DefaultAction LinuxSeccompAction `json:"defaultAction"`
+	// Architectures is kept to maintain backward compatibility for projects
+	// that already use the old seccomp profile.
+	Architectures []Arch         `json:"architectures,omitempty"`
+	ArchMap       []Architecture `json:"archMap,omitempty"`
+	Syscalls      []LinuxSyscall `json:"syscalls"`
+}
+
+// Architecture is used to represent an specific architecture
+// and its sub-architectures
+type Architecture struct {
+	Arch      Arch   `json:"architecture"`
+	SubArches []Arch `json:"subArchitectures"`
+}
+
 // Arch used for additional architectures
 type Arch string
 
@@ -529,7 +539,28 @@ type LinuxSeccompArg struct {
 
 // LinuxSyscall is used to match a syscall in Seccomp
 type LinuxSyscall struct {
-	Name   string             `json:"name"`
-	Action LinuxSeccompAction `json:"action"`
-	Args   []LinuxSeccompArg  `json:"args,omitempty"`
+	Name     string            `json:"name,omitempty"`
+	Names    []string          `json:"names,omitempty"`
+	Action   Action            `json:"action"`
+	Args     []LinuxSyscallArg `json:"args"`
+	Comment  string            `json:"comment"`
+	Includes Filter            `json:"includes"`
+	Excludes Filter            `json:"excludes"`
+}
+
+// Action taken upon Seccomp rule match
+type Action string
+
+// Filter is used to conditionally apply Seccomp rules
+type Filter struct {
+	Caps   []string `json:"caps,omitempty"`
+	Arches []string `json:"arches,omitempty"`
+}
+
+// LinuxSyscallArg used for matching specific syscall arguments in Seccomp
+type LinuxSyscallArg struct {
+	Index    uint                 `json:"index"`
+	Value    uint64               `json:"value"`
+	ValueTwo uint64               `json:"valueTwo"`
+	Op       LinuxSeccompOperator `json:"op"`
 }