Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

config: Improve seccomp format to be more expressive #657

Merged
merged 1 commit into from
Feb 25, 2017
Merged

config: Improve seccomp format to be more expressive #657

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions config-linux.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -538,12 +538,17 @@ Operator Constants:
"seccomp": {
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": [
"SCMP_ARCH_X86"
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"name": "getcwd",
"action": "SCMP_ACT_ERRNO"
"names": [
"getcwd",
"chmod"
],
"action": "SCMP_ACT_ERRNO",
"comment": "stop exploit x"
}
]
}
Expand Down
11 changes: 8 additions & 3 deletions config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -710,12 +710,17 @@ Here is a full example `config.json` for reference.
"seccomp": {
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": [
"SCMP_ARCH_X86"
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"name": "getcwd",
"action": "SCMP_ACT_ERRNO"
"names": [
"getcwd",
"chmod"
],
"action": "SCMP_ACT_ERRNO",
"comment": "stop exploit x"
}
]
},
Expand Down
6 changes: 4 additions & 2 deletions schema/defs-linux.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,10 @@
"Syscall": {
"type": "object",
"properties": {
"name": {
"type": "string"
"names": {
"type": [
"string"
]
},
"action": {
"$ref": "#/definitions/SeccompAction"
Expand Down
21 changes: 11 additions & 10 deletions specs-go/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -365,13 +365,6 @@ type LinuxDeviceCgroup struct {
Access string `json:"access,omitempty"`
}

// LinuxSeccomp represents syscall restrictions
type LinuxSeccomp struct {
DefaultAction LinuxSeccompAction `json:"defaultAction"`
Architectures []Arch `json:"architectures"`
Syscalls []LinuxSyscall `json:"syscalls,omitempty"`
}

// Solaris contains platform specific configuration for Solaris application containers.
type Solaris struct {
// SMF FMRI which should go "online" before we start the container process.
Expand Down Expand Up @@ -469,6 +462,13 @@ type WindowsNetworkResources struct {
EgressBandwidth *uint64 `json:"egressBandwidth,omitempty"`
}

// LinuxSeccomp represents syscall restrictions
type LinuxSeccomp struct {
DefaultAction LinuxSeccompAction `json:"defaultAction"`
Architectures []Arch `json:"architectures,omitempty"`
Syscalls []LinuxSyscall `json:"syscalls"`
}

// Arch used for additional architectures
type Arch string

Expand Down Expand Up @@ -529,7 +529,8 @@ type LinuxSeccompArg struct {

// LinuxSyscall is used to match a syscall in Seccomp
type LinuxSyscall struct {
Name string `json:"name"`
Action LinuxSeccompAction `json:"action"`
Args []LinuxSeccompArg `json:"args,omitempty"`
Names []string `json:"names"`
Action LinuxSeccompAction `json:"action"`
Args []LinuxSeccompArg `json:"args"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You seem to be replacing LinuxSeccompArg with LinuxSyscallArg, but that leaves a dangling LinuxSeccompArg type (at least as of c36c819):

$ git grep LinuxSeccompArg origin/pr/657
origin/pr/657:specs-go/config.go:// LinuxSeccompArg used for matching specific syscall arguments in Seccomp
origin/pr/657:specs-go/config.go:type LinuxSeccompArg struct {

Also, we'll need to update the Markdown spec to cover this change, since there is definitely a schema change going on and the Go types are not normative. The JSON Schema will need updating as well.

$ git show --stat --oneline origin/pr/657
c36c819 improve seccomp format to be more expressive
 specs-go/config.go | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

Copy link
Contributor Author

@grantseltzer grantseltzer Feb 22, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed that, did not mean for that replacement.

Updating markdown as well.

Comment string `json:"comment"`
}