From 84373aaa560b3f14cfda210b2f34ca14fd4b1fce Mon Sep 17 00:00:00 2001 From: blacktop Date: Thu, 26 Sep 2019 11:03:03 -0400 Subject: [PATCH] Add SCMP_ACT_LOG as a valid Seccomp action (#1951) Signed-off-by: blacktop --- libcontainer/configs/config.go | 1 + libcontainer/seccomp/config.go | 1 + libcontainer/seccomp/seccomp_linux.go | 3 +++ 3 files changed, 5 insertions(+) diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go index 7728522f..24989e9f 100644 --- a/libcontainer/configs/config.go +++ b/libcontainer/configs/config.go @@ -44,6 +44,7 @@ const ( Trap Allow Trace + Log ) // Operator is a comparison operator to be used when matching syscall arguments in Seccomp diff --git a/libcontainer/seccomp/config.go b/libcontainer/seccomp/config.go index ded5a6bb..c3212279 100644 --- a/libcontainer/seccomp/config.go +++ b/libcontainer/seccomp/config.go @@ -22,6 +22,7 @@ var actions = map[string]configs.Action{ "SCMP_ACT_TRAP": configs.Trap, "SCMP_ACT_ALLOW": configs.Allow, "SCMP_ACT_TRACE": configs.Trace, + "SCMP_ACT_LOG": configs.Log, } var archs = map[string]string{ diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go index d99f3fe6..1b7a0711 100644 --- a/libcontainer/seccomp/seccomp_linux.go +++ b/libcontainer/seccomp/seccomp_linux.go @@ -19,6 +19,7 @@ var ( actTrap = libseccomp.ActTrap actKill = libseccomp.ActKill actTrace = libseccomp.ActTrace.SetReturnCode(int16(unix.EPERM)) + actLog = libseccomp.ActLog actErrno = libseccomp.ActErrno.SetReturnCode(int16(unix.EPERM)) ) @@ -112,6 +113,8 @@ func getAction(act configs.Action) (libseccomp.ScmpAction, error) { return actAllow, nil case configs.Trace: return actTrace, nil + case configs.Log: + return actLog, nil default: return libseccomp.ActInvalid, fmt.Errorf("invalid action, cannot use in rule") }