diff --git a/libcontainer/seccomp/config.go b/libcontainer/seccomp/config.go index 8bac3357..5a3d016d 100644 --- a/libcontainer/seccomp/config.go +++ b/libcontainer/seccomp/config.go @@ -6,29 +6,46 @@ import ( "github.com/opencontainers/runc/libcontainer/configs" ) +var operators = map[string]configs.Operator{ + "SCMP_CMP_NE": configs.NotEqualTo, + "SCMP_CMP_LT": configs.LessThan, + "SCMP_CMP_LE": configs.LessThanOrEqualTo, + "SCMP_CMP_EQ": configs.EqualTo, + "SCMP_CMP_GE": configs.GreaterThanOrEqualTo, + "SCMP_CMP_GT": configs.GreaterThan, + "SCMP_CMP_MASKED_EQ": configs.MaskEqualTo, +} + +var actions = map[string]configs.Action{ + "SCMP_ACT_KILL": configs.Kill, + "SCMP_ACT_ERRNO": configs.Errno, + "SCMP_ACT_TRAP": configs.Trap, + "SCMP_ACT_ALLOW": configs.Allow, +} + +var archs = map[string]string{ + "SCMP_ARCH_X86": "x86", + "SCMP_ARCH_X86_64": "amd64", + "SCMP_ARCH_X32": "x32", + "SCMP_ARCH_ARM": "arm", + "SCMP_ARCH_AARCH64": "arm64", + "SCMP_ARCH_MIPS": "mips", + "SCMP_ARCH_MIPS64": "mips64", + "SCMP_ARCH_MIPS64N32": "mips64n32", + "SCMP_ARCH_MIPSEL": "mipsel", + "SCMP_ARCH_MIPSEL64": "mipsel64", + "SCMP_ARCH_MIPSEL64N32": "mipsel64n32", +} + // ConvertStringToOperator converts a string into a Seccomp comparison operator. // Comparison operators use the names they are assigned by Libseccomp's header. // Attempting to convert a string that is not a valid operator results in an // error. func ConvertStringToOperator(in string) (configs.Operator, error) { - switch in { - case "SCMP_CMP_NE": - return configs.NotEqualTo, nil - case "SCMP_CMP_LT": - return configs.LessThan, nil - case "SCMP_CMP_LE": - return configs.LessThanOrEqualTo, nil - case "SCMP_CMP_EQ": - return configs.EqualTo, nil - case "SCMP_CMP_GE": - return configs.GreaterThan, nil - case "SCMP_CMP_GT": - return configs.GreaterThanOrEqualTo, nil - case "SCMP_CMP_MASKED_EQ": - return configs.MaskEqualTo, nil - default: - return 0, fmt.Errorf("string %s is not a valid operator for seccomp", in) + if op, ok := operators[in]; ok == true { + return op, nil } + return 0, fmt.Errorf("string %s is not a valid operator for seccomp", in) } // ConvertStringToAction converts a string into a Seccomp rule match action. @@ -38,16 +55,16 @@ func ConvertStringToOperator(in string) (configs.Operator, error) { // Attempting to convert a string that is not a valid action results in an // error. func ConvertStringToAction(in string) (configs.Action, error) { - switch in { - case "SCMP_ACT_KILL": - return configs.Kill, nil - case "SCMP_ACT_ERRNO": - return configs.Errno, nil - case "SCMP_ACT_TRAP": - return configs.Trap, nil - case "SCMP_ACT_ALLOW": - return configs.Allow, nil - default: - return 0, fmt.Errorf("string %s is not a valid action for seccomp", in) + if act, ok := actions[in]; ok == true { + return act, nil } + return 0, fmt.Errorf("string %s is not a valid action for seccomp", in) +} + +// ConvertStringToArch converts a string into a Seccomp comparison arch. +func ConvertStringToArch(in string) (string, error) { + if arch, ok := archs[in]; ok == true { + return arch, nil + } + return "", fmt.Errorf("string %s is not a valid arch for seccomp", in) } diff --git a/spec.go b/spec.go index 9958f486..7948e6ea 100644 --- a/spec.go +++ b/spec.go @@ -648,6 +648,17 @@ func setupSeccomp(config *specs.Seccomp) (*configs.Seccomp, error) { newConfig := new(configs.Seccomp) newConfig.Syscalls = []*configs.Syscall{} + if len(config.Architectures) > 0 { + newConfig.Architectures = []string{} + for _, arch := range config.Architectures { + newArch, err := seccomp.ConvertStringToArch(string(arch)) + if err != nil { + return nil, err + } + newConfig.Architectures = append(newConfig.Architectures, newArch) + } + } + // Convert default action from string representation newDefaultAction, err := seccomp.ConvertStringToAction(string(config.DefaultAction)) if err != nil {