improve seccomp format to be more expressive

Signed-off-by: grantseltzer <grantseltzer@gmail.com>
This commit is contained in:
grantseltzer 2017-01-13 19:27:24 -05:00
parent 5398f4e217
commit 652323cd77
4 changed files with 31 additions and 18 deletions

View File

@ -538,12 +538,17 @@ Operator Constants:
"seccomp": {
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": [
"SCMP_ARCH_X86"
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"name": "getcwd",
"action": "SCMP_ACT_ERRNO"
"names": [
"getcwd",
"chmod"
],
"action": "SCMP_ACT_ERRNO",
"comment": "stop exploit x"
}
]
}

View File

@ -710,12 +710,17 @@ Here is a full example `config.json` for reference.
"seccomp": {
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": [
"SCMP_ARCH_X86"
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"name": "getcwd",
"action": "SCMP_ACT_ERRNO"
"names": [
"getcwd",
"chmod"
],
"action": "SCMP_ACT_ERRNO",
"comment": "stop exploit x"
}
]
},

View File

@ -63,8 +63,10 @@
"Syscall": {
"type": "object",
"properties": {
"name": {
"type": "string"
"names": {
"type": [
"string"
]
},
"action": {
"$ref": "#/definitions/SeccompAction"

View File

@ -365,13 +365,6 @@ type LinuxDeviceCgroup struct {
Access string `json:"access,omitempty"`
}
// LinuxSeccomp represents syscall restrictions
type LinuxSeccomp struct {
DefaultAction LinuxSeccompAction `json:"defaultAction"`
Architectures []Arch `json:"architectures"`
Syscalls []LinuxSyscall `json:"syscalls,omitempty"`
}
// Solaris contains platform specific configuration for Solaris application containers.
type Solaris struct {
// SMF FMRI which should go "online" before we start the container process.
@ -469,6 +462,13 @@ type WindowsNetworkResources struct {
EgressBandwidth *uint64 `json:"egressBandwidth,omitempty"`
}
// LinuxSeccomp represents syscall restrictions
type LinuxSeccomp struct {
DefaultAction LinuxSeccompAction `json:"defaultAction"`
Architectures []Arch `json:"architectures,omitempty"`
Syscalls []LinuxSyscall `json:"syscalls"`
}
// Arch used for additional architectures
type Arch string
@ -529,7 +529,8 @@ type LinuxSeccompArg struct {
// LinuxSyscall is used to match a syscall in Seccomp
type LinuxSyscall struct {
Name string `json:"name"`
Action LinuxSeccompAction `json:"action"`
Args []LinuxSeccompArg `json:"args,omitempty"`
Names []string `json:"names"`
Action LinuxSeccompAction `json:"action"`
Args []LinuxSeccompArg `json:"args"`
Comment string `json:"comment"`
}