Merge pull request #657 from GrantSeltzer/improve-seccomp-spec

config: Improve seccomp format to be more expressive
2017-02-24 18:59:49 -08:00 · 2017-02-24 18:59:49 -08:00 · ae7a541930
parent 3f5078dab0 652323cd77
commit ae7a541930
4 changed files with 31 additions and 18 deletions
--- a/config-linux.md
+++ b/config-linux.md
@ -538,12 +538,17 @@ Operator Constants:
   "seccomp": {
       "defaultAction": "SCMP_ACT_ALLOW",
       "architectures": [
-           "SCMP_ARCH_X86"
+           "SCMP_ARCH_X86",
+           "SCMP_ARCH_X32"
       ],
       "syscalls": [
           {
-               "name": "getcwd",
-               "action": "SCMP_ACT_ERRNO"
+               "names": [
+                   "getcwd",
+                   "chmod"
+               ],
+               "action": "SCMP_ACT_ERRNO",
+               "comment": "stop exploit x"
           }
       ]
   }
--- a/config.md
+++ b/config.md
@ -762,12 +762,17 @@ Here is a full example `config.json` for reference.
        "seccomp": {
            "defaultAction": "SCMP_ACT_ALLOW",
            "architectures": [
-                "SCMP_ARCH_X86"
+                "SCMP_ARCH_X86",
+                "SCMP_ARCH_X32"
            ],
            "syscalls": [
                {
-                    "name": "getcwd",
-                    "action": "SCMP_ACT_ERRNO"
+                    "names": [
+                        "getcwd",
+                        "chmod"
+                    ],
+                    "action": "SCMP_ACT_ERRNO",
+                    "comment": "stop exploit x"
                }
            ]
        },
--- a/schema/defs-linux.json
+++ b/schema/defs-linux.json
@ -63,8 +63,10 @@
        "Syscall": {
            "type": "object",
            "properties": {
-                "name": {
-                    "type": "string"
+                "names": {
+                    "type": [
+                        "string"
+                    ]
                },
                "action": {
                    "$ref": "#/definitions/SeccompAction"
--- a/specs-go/config.go
+++ b/specs-go/config.go
@ -380,13 +380,6 @@ type LinuxDeviceCgroup struct {
 	Access string `json:"access,omitempty"`
 }

-// LinuxSeccomp represents syscall restrictions
-type LinuxSeccomp struct {
-	DefaultAction LinuxSeccompAction `json:"defaultAction"`
-	Architectures []Arch             `json:"architectures"`
-	Syscalls      []LinuxSyscall     `json:"syscalls,omitempty"`
-}
-
 // Solaris contains platform specific configuration for Solaris application containers.
 type Solaris struct {
 	// SMF FMRI which should go "online" before we start the container process.
@ -484,6 +477,13 @@ type WindowsNetworkResources struct {
 	EgressBandwidth *uint64 `json:"egressBandwidth,omitempty"`
 }

+// LinuxSeccomp represents syscall restrictions
+type LinuxSeccomp struct {
+	DefaultAction LinuxSeccompAction `json:"defaultAction"`
+	Architectures []Arch             `json:"architectures,omitempty"`
+	Syscalls      []LinuxSyscall     `json:"syscalls"`
+}
+
 // Arch used for additional architectures
 type Arch string

@ -544,7 +544,8 @@ type LinuxSeccompArg struct {

 // LinuxSyscall is used to match a syscall in Seccomp
 type LinuxSyscall struct {
-	Name   string             `json:"name"`
-	Action LinuxSeccompAction `json:"action"`
-	Args   []LinuxSeccompArg  `json:"args,omitempty"`
+	Names   []string           `json:"names"`
+	Action  LinuxSeccompAction `json:"action"`
+	Args    []LinuxSeccompArg  `json:"args"`
+	Comment string             `json:"comment"`
 }