From caca8409727da48f0c884f52410c57fc66ae125d Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Thu, 12 Nov 2015 17:03:53 -0800 Subject: [PATCH] Add seccomp trace support Closes #347 Signed-off-by: Michael Crosby --- libcontainer/configs/config.go | 5 +++-- libcontainer/seccomp/config.go | 1 + libcontainer/seccomp/seccomp_linux.go | 3 +++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go index 3a76732b..069daae2 100644 --- a/libcontainer/configs/config.go +++ b/libcontainer/configs/config.go @@ -33,17 +33,18 @@ type Seccomp struct { type Action int const ( - Kill Action = iota - 4 + Kill Action = iota + 1 Errno Trap Allow + Trace ) // A comparison operator to be used when matching syscall arguments in Seccomp type Operator int const ( - EqualTo Operator = iota + EqualTo Operator = iota + 1 NotEqualTo GreaterThan GreaterThanOrEqualTo diff --git a/libcontainer/seccomp/config.go b/libcontainer/seccomp/config.go index 5a3d016d..3b9a7595 100644 --- a/libcontainer/seccomp/config.go +++ b/libcontainer/seccomp/config.go @@ -21,6 +21,7 @@ var actions = map[string]configs.Action{ "SCMP_ACT_ERRNO": configs.Errno, "SCMP_ACT_TRAP": configs.Trap, "SCMP_ACT_ALLOW": configs.Allow, + "SCMP_ACT_TRACE": configs.Trace, } var archs = map[string]string{ diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go index 1e9ccf8f..aff1b63a 100644 --- a/libcontainer/seccomp/seccomp_linux.go +++ b/libcontainer/seccomp/seccomp_linux.go @@ -15,6 +15,7 @@ var ( actAllow = libseccomp.ActAllow actTrap = libseccomp.ActTrap actKill = libseccomp.ActKill + actTrace = libseccomp.ActTrace.SetReturnCode(int16(syscall.EPERM)) actErrno = libseccomp.ActErrno.SetReturnCode(int16(syscall.EPERM)) ) @@ -83,6 +84,8 @@ func getAction(act configs.Action) (libseccomp.ScmpAction, error) { return actTrap, nil case configs.Allow: return actAllow, nil + case configs.Trace: + return actTrace, nil default: return libseccomp.ActInvalid, fmt.Errorf("invalid action, cannot use in rule") }