Merge pull request #42604 from kinvolk/rata/seccomp-new-fields

seccomp: Sync fields with runtime-spec fields
moby · Jul 15, 2021 · a2da507 · a2da507
2 parents b2e31eb + 5d24467
commit a2da507
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 1 deletion.
diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go
@@ -11,7 +11,11 @@ import (
 
 // Seccomp represents the config for a seccomp profile for syscall restriction.
 type Seccomp struct {
- DefaultAction specs.LinuxSeccompAction `json:"defaultAction"`
+ DefaultAction specs.LinuxSeccompAction `json:"defaultAction"`
+ DefaultErrnoRet *uint `json:"defaultErrnoRet,omitempty"`
+ ListenerPath string `json:"listenerPath,omitempty"`
+ ListenerMetadata string `json:"listenerMetadata,omitempty"`
+
  // Architectures is kept to maintain backward compatibility with the old
  // seccomp profile.
  Architectures []specs.Arch `json:"architectures,omitempty"`

diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go
@@ -107,6 +107,9 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error)
  }
 
  newConfig.DefaultAction = config.DefaultAction
+ newConfig.DefaultErrnoRet = config.DefaultErrnoRet
+ newConfig.ListenerPath = config.ListenerPath
+ newConfig.ListenerMetadata = config.ListenerMetadata
 
 Loop:
  // Loop through all syscall blocks and convert them to libcontainer format after filtering them

diff --git a/profiles/seccomp/seccomp_test.go b/profiles/seccomp/seccomp_test.go
@@ -59,6 +59,47 @@ func TestLoadProfile(t *testing.T) {
  assert.DeepEqual(t, expected, *p)
 }
 
+func TestLoadProfileWithDefaultErrnoRet(t *testing.T) {
+ var profile = []byte(`{
+"defaultAction": "SCMP_ACT_ERRNO",
+"defaultErrnoRet": 6
+}`)
+ rs := createSpec()
+ p, err := LoadProfile(string(profile), &rs)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ expectedErrnoRet := uint(6)
+ expected := specs.LinuxSeccomp{
+ DefaultAction: "SCMP_ACT_ERRNO",
+ DefaultErrnoRet: &expectedErrnoRet,
+ }
+
+ assert.DeepEqual(t, expected, *p)
+}
+
+func TestLoadProfileWithListenerPath(t *testing.T) {
+ var profile = []byte(`{
+"defaultAction": "SCMP_ACT_ERRNO",
+"listenerPath": "/var/run/seccompaget.sock",
+"listenerMetadata": "opaque-metadata"
+}`)
+ rs := createSpec()
+ p, err := LoadProfile(string(profile), &rs)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ expected := specs.LinuxSeccomp{
+ DefaultAction: "SCMP_ACT_ERRNO",
+ ListenerPath: "/var/run/seccompaget.sock",
+ ListenerMetadata: "opaque-metadata",
+ }
+
+ assert.DeepEqual(t, expected, *p)
+}
+
 // TestLoadLegacyProfile tests loading a seccomp profile in the old format
 // (before https://github.com/docker/docker/pull/24510)
 func TestLoadLegacyProfile(t *testing.T) {