jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #657 from GrantSeltzer/improve-seccomp-spec 

config: Improve seccomp format to be more expressive
This commit is contained in:
Mrunal Patel 2017-02-24 18:59:49 -08:00 committed by GitHub
parent 3f5078dab0 652323cd77
commit ae7a541930
4 changed files with 31 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
config-linux.md
View File

@ -538,12 +538,17 @@ Operator Constants:
"seccomp": { "seccomp": {
"defaultAction": "SCMP_ACT_ALLOW", "defaultAction": "SCMP_ACT_ALLOW",
"architectures": [ "architectures": [
"SCMP_ARCH_X86" "SCMP_ARCH_X86",
"SCMP_ARCH_X32"
], ],
"syscalls": [ "syscalls": [
{ {
"name": "getcwd", "names": [
"action": "SCMP_ACT_ERRNO" "getcwd",
"chmod"
],
"action": "SCMP_ACT_ERRNO",
"comment": "stop exploit x"
} }
] ]
} }

11
config.md
View File

@ -762,12 +762,17 @@ Here is a full example `config.json` for reference.
"seccomp": { "seccomp": {
"defaultAction": "SCMP_ACT_ALLOW", "defaultAction": "SCMP_ACT_ALLOW",
"architectures": [ "architectures": [
"SCMP_ARCH_X86" "SCMP_ARCH_X86",
"SCMP_ARCH_X32"
], ],
"syscalls": [ "syscalls": [
{ {
"name": "getcwd", "names": [
"action": "SCMP_ACT_ERRNO" "getcwd",
"chmod"
],
"action": "SCMP_ACT_ERRNO",
"comment": "stop exploit x"
} }
] ]
}, },

6
schema/defs-linux.json
View File

@ -63,8 +63,10 @@
"Syscall": { "Syscall": {
"type": "object", "type": "object",
"properties": { "properties": {
"name": { "names": {
"type": "string" "type": [
"string"
]
}, },
"action": { "action": {
"$ref": "#/definitions/SeccompAction" "$ref": "#/definitions/SeccompAction"

19
specs-go/config.go
View File

@ -380,13 +380,6 @@ type LinuxDeviceCgroup struct {
Access string `json:"access,omitempty"` Access string `json:"access,omitempty"`
} }
// LinuxSeccomp represents syscall restrictions
type LinuxSeccomp struct {
DefaultAction LinuxSeccompAction `json:"defaultAction"`
Architectures []Arch `json:"architectures"`
Syscalls []LinuxSyscall `json:"syscalls,omitempty"`
}
// Solaris contains platform specific configuration for Solaris application containers. // Solaris contains platform specific configuration for Solaris application containers.
type Solaris struct { type Solaris struct {
// SMF FMRI which should go "online" before we start the container process. // SMF FMRI which should go "online" before we start the container process.
@ -484,6 +477,13 @@ type WindowsNetworkResources struct {
EgressBandwidth *uint64 `json:"egressBandwidth,omitempty"` EgressBandwidth *uint64 `json:"egressBandwidth,omitempty"`
} }
// LinuxSeccomp represents syscall restrictions
type LinuxSeccomp struct {
DefaultAction LinuxSeccompAction `json:"defaultAction"`
Architectures []Arch `json:"architectures,omitempty"`
Syscalls []LinuxSyscall `json:"syscalls"`
}
// Arch used for additional architectures // Arch used for additional architectures
type Arch string type Arch string
@ -544,7 +544,8 @@ type LinuxSeccompArg struct {
// LinuxSyscall is used to match a syscall in Seccomp // LinuxSyscall is used to match a syscall in Seccomp
type LinuxSyscall struct { type LinuxSyscall struct {
Name string `json:"name"` Names []string `json:"names"`
Action LinuxSeccompAction `json:"action"` Action LinuxSeccompAction `json:"action"`
Args []LinuxSeccompArg `json:"args,omitempty"` Args []LinuxSeccompArg `json:"args"`
Comment string `json:"comment"`
} }