Merge pull request #42005 from thaJeztah/refactor_seccomp

Refactor seccomp types to reuse runtime-spec, and add support for "ErrnoRet"
moby · Jul 7, 2021 · 5e4da6c · 5e4da6c
2 parents c858e49 + c7cd1b9
commit 5e4da6c
Show file tree

Hide file tree

Showing 6 changed files with 685 additions and 691 deletions.
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
@@ -393,11 +393,7 @@
  "write",
  "writev"
  ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {},
- "excludes": {}
+ "action": "SCMP_ACT_ALLOW"
  },
  {
  "names": [
@@ -406,12 +402,9 @@
  "ptrace"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": null,
- "comment": "",
  "includes": {
  "minKernel": "4.8"
- },
- "excludes": {}
+ }
  },
  {
  "names": [
@@ -424,10 +417,7 @@
  "value": 0,
  "op": "SCMP_CMP_EQ"
  }
- ],
- "comment": "",
- "includes": {},
- "excludes": {}
+ ]
  },
  {
  "names": [
@@ -440,10 +430,7 @@
  "value": 8,
  "op": "SCMP_CMP_EQ"
  }
- ],
- "comment": "",
- "includes": {},
- "excludes": {}
+ ]
  },
  {
  "names": [
@@ -456,10 +443,7 @@
  "value": 131072,
  "op": "SCMP_CMP_EQ"
  }
- ],
- "comment": "",
- "includes": {},
- "excludes": {}
+ ]
  },
  {
  "names": [
@@ -472,10 +456,7 @@
  "value": 131080,
  "op": "SCMP_CMP_EQ"
  }
- ],
- "comment": "",
- "includes": {},
- "excludes": {}
+ ]
  },
  {
  "names": [
@@ -488,24 +469,18 @@
  "value": 4294967295,
  "op": "SCMP_CMP_EQ"
  }
- ],
- "comment": "",
- "includes": {},
- "excludes": {}
+ ]
  },
  {
  "names": [
  "sync_file_range2"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "arches": [
  "ppc64le"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
@@ -517,46 +492,37 @@
  "set_tls"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "arches": [
  "arm",
  "arm64"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
  "arch_prctl"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "arches": [
  "amd64",
  "x32"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
  "modify_ldt"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "arches": [
  "amd64",
  "x32",
  "x86"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
@@ -565,29 +531,23 @@
  "s390_runtime_instr"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "arches": [
  "s390",
  "s390x"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
  "open_by_handle_at"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "caps": [
  "CAP_DAC_READ_SEARCH"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
@@ -614,14 +574,11 @@
  "unshare"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "caps": [
  "CAP_SYS_ADMIN"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
@@ -635,8 +592,6 @@
  "op": "SCMP_CMP_MASKED_EQ"
  }
  ],
- "comment": "",
- "includes": {},
  "excludes": {
  "caps": [
  "CAP_SYS_ADMIN"
@@ -677,28 +632,22 @@
  "reboot"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "caps": [
  "CAP_SYS_BOOT"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
  "chroot"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "caps": [
  "CAP_SYS_CHROOT"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
@@ -707,28 +656,22 @@
  "finit_module"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "caps": [
  "CAP_SYS_MODULE"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
  "acct"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "caps": [
  "CAP_SYS_PACCT"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
@@ -740,29 +683,23 @@
  "ptrace"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "caps": [
  "CAP_SYS_PTRACE"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
  "iopl",
  "ioperm"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "caps": [
  "CAP_SYS_RAWIO"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
@@ -771,28 +708,22 @@
  "clock_settime"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "caps": [
  "CAP_SYS_TIME"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
  "vhangup"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "caps": [
  "CAP_SYS_TTY_CONFIG"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
@@ -801,28 +732,22 @@
  "set_mempolicy"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "caps": [
  "CAP_SYS_NICE"
  ]
- },
- "excludes": {}
+ }
  },
  {
  "names": [
  "syslog"
  ],
  "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
  "includes": {
  "caps": [
  "CAP_SYSLOG"
  ]
- },
- "excludes": {}
+ }
  }
  ]
 }