Add the conversion of architectures for seccomp config
Signed-off-by: yangshukui <yangshukui@huawei.com>
This commit is contained in:
parent
2a6ae44f8e
commit
e5ef8d239a
|
@ -6,29 +6,46 @@ import (
|
|||
"github.com/opencontainers/runc/libcontainer/configs"
|
||||
)
|
||||
|
||||
var operators = map[string]configs.Operator{
|
||||
"SCMP_CMP_NE": configs.NotEqualTo,
|
||||
"SCMP_CMP_LT": configs.LessThan,
|
||||
"SCMP_CMP_LE": configs.LessThanOrEqualTo,
|
||||
"SCMP_CMP_EQ": configs.EqualTo,
|
||||
"SCMP_CMP_GE": configs.GreaterThanOrEqualTo,
|
||||
"SCMP_CMP_GT": configs.GreaterThan,
|
||||
"SCMP_CMP_MASKED_EQ": configs.MaskEqualTo,
|
||||
}
|
||||
|
||||
var actions = map[string]configs.Action{
|
||||
"SCMP_ACT_KILL": configs.Kill,
|
||||
"SCMP_ACT_ERRNO": configs.Errno,
|
||||
"SCMP_ACT_TRAP": configs.Trap,
|
||||
"SCMP_ACT_ALLOW": configs.Allow,
|
||||
}
|
||||
|
||||
var archs = map[string]string{
|
||||
"SCMP_ARCH_X86": "x86",
|
||||
"SCMP_ARCH_X86_64": "amd64",
|
||||
"SCMP_ARCH_X32": "x32",
|
||||
"SCMP_ARCH_ARM": "arm",
|
||||
"SCMP_ARCH_AARCH64": "arm64",
|
||||
"SCMP_ARCH_MIPS": "mips",
|
||||
"SCMP_ARCH_MIPS64": "mips64",
|
||||
"SCMP_ARCH_MIPS64N32": "mips64n32",
|
||||
"SCMP_ARCH_MIPSEL": "mipsel",
|
||||
"SCMP_ARCH_MIPSEL64": "mipsel64",
|
||||
"SCMP_ARCH_MIPSEL64N32": "mipsel64n32",
|
||||
}
|
||||
|
||||
// ConvertStringToOperator converts a string into a Seccomp comparison operator.
|
||||
// Comparison operators use the names they are assigned by Libseccomp's header.
|
||||
// Attempting to convert a string that is not a valid operator results in an
|
||||
// error.
|
||||
func ConvertStringToOperator(in string) (configs.Operator, error) {
|
||||
switch in {
|
||||
case "SCMP_CMP_NE":
|
||||
return configs.NotEqualTo, nil
|
||||
case "SCMP_CMP_LT":
|
||||
return configs.LessThan, nil
|
||||
case "SCMP_CMP_LE":
|
||||
return configs.LessThanOrEqualTo, nil
|
||||
case "SCMP_CMP_EQ":
|
||||
return configs.EqualTo, nil
|
||||
case "SCMP_CMP_GE":
|
||||
return configs.GreaterThan, nil
|
||||
case "SCMP_CMP_GT":
|
||||
return configs.GreaterThanOrEqualTo, nil
|
||||
case "SCMP_CMP_MASKED_EQ":
|
||||
return configs.MaskEqualTo, nil
|
||||
default:
|
||||
return 0, fmt.Errorf("string %s is not a valid operator for seccomp", in)
|
||||
if op, ok := operators[in]; ok == true {
|
||||
return op, nil
|
||||
}
|
||||
return 0, fmt.Errorf("string %s is not a valid operator for seccomp", in)
|
||||
}
|
||||
|
||||
// ConvertStringToAction converts a string into a Seccomp rule match action.
|
||||
|
@ -38,16 +55,16 @@ func ConvertStringToOperator(in string) (configs.Operator, error) {
|
|||
// Attempting to convert a string that is not a valid action results in an
|
||||
// error.
|
||||
func ConvertStringToAction(in string) (configs.Action, error) {
|
||||
switch in {
|
||||
case "SCMP_ACT_KILL":
|
||||
return configs.Kill, nil
|
||||
case "SCMP_ACT_ERRNO":
|
||||
return configs.Errno, nil
|
||||
case "SCMP_ACT_TRAP":
|
||||
return configs.Trap, nil
|
||||
case "SCMP_ACT_ALLOW":
|
||||
return configs.Allow, nil
|
||||
default:
|
||||
if act, ok := actions[in]; ok == true {
|
||||
return act, nil
|
||||
}
|
||||
return 0, fmt.Errorf("string %s is not a valid action for seccomp", in)
|
||||
}
|
||||
|
||||
// ConvertStringToArch converts a string into a Seccomp comparison arch.
|
||||
func ConvertStringToArch(in string) (string, error) {
|
||||
if arch, ok := archs[in]; ok == true {
|
||||
return arch, nil
|
||||
}
|
||||
return "", fmt.Errorf("string %s is not a valid arch for seccomp", in)
|
||||
}
|
||||
|
|
11
spec.go
11
spec.go
|
@ -648,6 +648,17 @@ func setupSeccomp(config *specs.Seccomp) (*configs.Seccomp, error) {
|
|||
newConfig := new(configs.Seccomp)
|
||||
newConfig.Syscalls = []*configs.Syscall{}
|
||||
|
||||
if len(config.Architectures) > 0 {
|
||||
newConfig.Architectures = []string{}
|
||||
for _, arch := range config.Architectures {
|
||||
newArch, err := seccomp.ConvertStringToArch(string(arch))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
newConfig.Architectures = append(newConfig.Architectures, newArch)
|
||||
}
|
||||
}
|
||||
|
||||
// Convert default action from string representation
|
||||
newDefaultAction, err := seccomp.ConvertStringToAction(string(config.DefaultAction))
|
||||
if err != nil {
|
||||
|
|
Loading…
Reference in New Issue