Skip to content

Commit d297bc1

Browse files
grantseltzergrantseltzer
committed
Use seccomp library for adding seccomp configuration flags
Signed-off-by: Grantseltzer <[email protected]>
1 parent 3334d03 commit d297bc1

10 files changed

Lines changed: 552 additions & 371 deletions

File tree

cmd/ocitools/generate.go

Lines changed: 69 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package main
33
import (
44
"os"
55
"runtime"
6+
"strings"
67

78
"github.com/opencontainers/ocitools/generate"
89
rspec "github.com/opencontainers/runtime-spec/specs-go"
@@ -48,11 +49,14 @@ var generateFlags = []cli.Flag{
4849
cli.StringSliceFlag{Name: "gidmappings", Usage: "add GIDMappings e.g HostID:ContainerID:Size"},
4950
cli.StringSliceFlag{Name: "sysctl", Usage: "add sysctl settings e.g net.ipv4.forward=1"},
5051
cli.StringFlag{Name: "apparmor", Usage: "specifies the the apparmor profile for the container"},
51-
cli.StringFlag{Name: "seccomp-default", Usage: "specifies the the defaultaction of Seccomp syscall restrictions"},
52-
cli.StringSliceFlag{Name: "seccomp-arch", Usage: "specifies Additional architectures permitted to be used for system calls"},
53-
cli.StringSliceFlag{Name: "seccomp-syscalls", Usage: "specifies Additional architectures permitted to be used for system calls, e.g Name:Action:Arg1_index/Arg1_value/Arg1_valuetwo/Arg1_op, Arg2_index/Arg2_value/Arg2_valuetwo/Arg2_op "},
54-
cli.StringSliceFlag{Name: "seccomp-allow", Usage: "specifies syscalls to be added to allowed"},
55-
cli.StringSliceFlag{Name: "seccomp-errno", Usage: "specifies syscalls to be added to list that returns an error"},
52+
cli.BoolFlag{Name: "seccomp-only", Usage: "specifies to export just a seccomp configuration file"},
53+
cli.StringFlag{Name: "seccomp-arch", Usage: "specifies additional architectures permitted to be used for system calls"},
54+
cli.StringFlag{Name: "seccomp-default", Usage: "specifies default action to be used for system calls"},
55+
cli.StringFlag{Name: "seccomp-allow", Usage: "specifies syscalls to respond with allow"},
56+
cli.StringFlag{Name: "seccomp-trap", Usage: "specifies syscalls to respond with trap"},
57+
cli.StringFlag{Name: "seccomp-errno", Usage: "specifies syscalls to respond with errno"},
58+
cli.StringFlag{Name: "seccomp-trace", Usage: "specifies syscalls to respond with trace"},
59+
cli.StringFlag{Name: "seccomp-kill", Usage: "specifies syscalls to respond with kill"},
5660
cli.StringFlag{Name: "template", Usage: "base template to use for creating the configuration"},
5761
cli.StringSliceFlag{Name: "label", Usage: "add annotations to the configuration e.g. key=value"},
5862
}
@@ -82,13 +86,15 @@ var generateCommand = cli.Command{
8286
if err != nil {
8387
return err
8488
}
89+
var exportOpts generate.ExportOptions
90+
exportOpts.Seccomp = context.Bool("seccomp-only")
8591

8692
if context.IsSet("output") {
87-
output := context.String("output")
88-
err = specgen.SaveToFile(output)
93+
err = specgen.SaveToFile(context.String("output"), exportOpts)
8994
} else {
90-
err = specgen.Save(os.Stdout)
95+
err = specgen.Save(os.Stdout, exportOpts)
9196
}
97+
9298
if err != nil {
9399
return err
94100
}
@@ -301,65 +307,85 @@ func setupSpec(g generate.Generator, context *cli.Context) error {
301307
}
302308
}
303309

304-
var sd string
305-
var sa, ss []string
310+
g, err := addSeccomp(g, context)
311+
if err != nil {
312+
return err
313+
}
314+
315+
return nil
316+
}
317+
318+
func addSeccomp(g generate.Generator, context *cli.Context) (generate.Generator, error) {
319+
seccompDefault := context.String("seccomp-default")
320+
seccompArch := context.String("seccomp-arch")
321+
seccompKill := context.String("seccomp-kill")
322+
seccompTrace := context.String("seccomp-trace")
323+
seccompErrno := context.String("seccomp-errno")
324+
seccompTrap := context.String("seccomp-trap")
325+
seccompAllow := context.String("seccomp-allow")
306326

307-
if context.IsSet("seccomp-default") {
308-
sd = context.String("seccomp-default")
327+
// Set the DefaultAction of seccomp
328+
if seccompDefault == "" {
329+
seccompDefault = "errno"
309330
}
310331

311-
if context.IsSet("seccomp-arch") {
312-
sa = context.StringSlice("seccomp-arch")
332+
err := g.SetDefaultSeccompAction(seccompDefault)
333+
if err != nil {
334+
return g, err
313335
}
314336

315-
if context.IsSet("seccomp-syscalls") {
316-
ss = context.StringSlice("seccomp-syscalls")
337+
// Add the additional architectures permitted to be used for system calls
338+
if seccompArch == "" {
339+
seccompArch = "amd64,x86,x32" // Default Architectures
317340
}
318341

319-
if sd == "" && len(sa) == 0 && len(ss) == 0 {
320-
return nil
342+
architectureArgs := strings.Split(seccompArch, ",")
343+
err = g.SetSeccompArchitectures(architectureArgs)
344+
if err != nil {
345+
return g, err
321346
}
322347

323-
// Set the DefaultAction of seccomp
324-
if context.IsSet("seccomp-default") {
325-
if err := g.SetLinuxSeccompDefault(sd); err != nil {
326-
return err
348+
if seccompKill != "" {
349+
killArgs := strings.Split(seccompKill, ",")
350+
err = g.SetSyscallActions("kill", killArgs)
351+
if err != nil {
352+
return g, err
327353
}
328354
}
329355

330-
// Add the additional architectures permitted to be used for system calls
331-
if context.IsSet("seccomp-arch") {
332-
for _, arch := range sa {
333-
if err := g.AddLinuxSeccompArch(arch); err != nil {
334-
return err
335-
}
356+
if seccompTrace != "" {
357+
traceArgs := strings.Split(seccompTrace, ",")
358+
err = g.SetSyscallActions("trace", traceArgs)
359+
if err != nil {
360+
return g, err
336361
}
337362
}
338363

339-
// Set syscall restrict in Seccomp
340-
if context.IsSet("seccomp-syscalls") {
341-
for _, syscall := range ss {
342-
if err := g.AddLinuxSeccompSyscall(syscall); err != nil {
343-
return err
344-
}
364+
if seccompErrno != "" {
365+
errnoArgs := strings.Split(seccompErrno, ",")
366+
err = g.SetSyscallActions("errno", errnoArgs)
367+
if err != nil {
368+
return g, err
345369
}
346370
}
347371

348-
if context.IsSet("seccomp-allow") {
349-
seccompAllows := context.StringSlice("seccomp-allow")
350-
for _, s := range seccompAllows {
351-
g.AddLinuxSeccompSyscallAllow(s)
372+
if seccompTrap != "" {
373+
trapArgs := strings.Split(seccompTrap, ",")
374+
err = g.SetSyscallActions("trap", trapArgs)
375+
if err != nil {
376+
return g, err
352377
}
353378
}
354379

355-
if context.IsSet("seccomp-errno") {
356-
seccompErrnos := context.StringSlice("seccomp-errno")
357-
for _, s := range seccompErrnos {
358-
g.AddLinuxSeccompSyscallErrno(s)
380+
if seccompAllow != "" {
381+
allowArgs := strings.Split(seccompAllow, ",")
382+
err = g.SetSyscallActions("allow", allowArgs)
383+
if err != nil {
384+
return g, err
359385
}
360386
}
361387

362-
return nil
388+
return g, nil
363389
}
364390

365391
func checkNs(nsMaps map[string]string, nsName string) bool {

0 commit comments

Comments
 (0)