docker-archive
diff --git a/‎configs/config.go
+3 b/‎configs/config.go
+3
diff --git a/‎init_linux.go
+15 b/‎init_linux.go
+15
diff --git a/‎integration/exec_test.go
+65 b/‎integration/exec_test.go
+65
diff --git a/‎seccomp/seccomp.go
+133 b/‎seccomp/seccomp.go
+133
@@ -61,6 +61,9 @@ type Config struct {
 	// All capbilities not specified will be dropped from the processes capability mask
 	Capabilities []string `json:"capabilities"`
 
+	// SysCalls specify the system calls to keep when executing the process inside the container
+	SysCalls []string `json:"syscalls"`
+
 	// Networks specifies the container's network setup to be created
 	Networks []*Network `json:"networks"`
 
 
@@ -13,6 +13,7 @@ import (
 	"github.com/docker/libcontainer/cgroups"
 	"github.com/docker/libcontainer/configs"
 	"github.com/docker/libcontainer/netlink"
+	"github.com/docker/libcontainer/seccomp"
 	"github.com/docker/libcontainer/system"
 	"github.com/docker/libcontainer/user"
 	"github.com/docker/libcontainer/utils"
@@ -259,3 +260,17 @@ func killCgroupProcesses(m cgroups.Manager) error {
 	}
 	return nil
 }
+
+func finalizeSeccomp(config *initConfig) error {
+	scmpCtx, _ := seccomp.ScmpInit(seccomp.ScmpActAllow)
+	if 0 == len(config.Config.SysCalls) {
+		for key := range seccomp.SyscallMap {
+			seccomp.ScmpAdd(scmpCtx, key, seccomp.ScmpActAllow)
+		}
+	} else {
+		for _, call := range config.Config.SysCalls {
+			seccomp.ScmpAdd(scmpCtx, call, seccomp.ScmpActAllow)
+		}
+	}
+	return seccomp.ScmpLoad(scmpCtx)
+}
@@ -2,6 +2,7 @@ package integration
 
 import (
 	"bytes"
+	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
@@ -13,6 +14,7 @@ import (
 	"github.com/docker/libcontainer"
 	"github.com/docker/libcontainer/cgroups/systemd"
 	"github.com/docker/libcontainer/configs"
+	"github.com/docker/libcontainer/seccomp"
 )
 
 func TestExecPS(t *testing.T) {
@@ -714,3 +716,66 @@ func TestSystemProperties(t *testing.T) {
 		t.Fatalf("kernel.shmmni property expected to be 8192, but is %s", shmmniOutput)
 	}
 }
+
+func allExcept(calls []string) []string {
+	num := len(seccomp.SyscallMap) - len(calls)
+	filter := make([]string, num)
+	i := 0
+	for key := range seccomp.SyscallMap {
+		j := 0
+		for _, key1 := range calls {
+			if strings.EqualFold(key, key1) {
+				break
+			}
+			j++
+		}
+		if j == len(calls) {
+			filter[i] = key
+			i++
+		}
+	}
+	return filter
+}
+
+func TestSeccompNotStat(t *testing.T) {
+	if testing.Short() {
+		return
+	}
+
+	rootfs, err := newRootfs()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer remove(rootfs)
+
+	config := newTemplateConfig(rootfs)
+	exceptCall := []string{"STAT"}
+	config.SysCalls = allExcept(exceptCall)
+	out, _, err := runContainer(config, "", "/bin/sh", "-c", "ls / -l")
+	if err == nil {
+		t.Fatal("runContainer should be failed")
+	} else {
+		fmt.Println(out)
+	}
+}
+
+func TestSeccompStat(t *testing.T) {
+	if testing.Short() {
+		return
+	}
+
+	rootfs, err := newRootfs()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer remove(rootfs)
+
+	config := newTemplateConfig(rootfs)
+	exceptCall := []string{}
+	config.SysCalls = allExcept(exceptCall)
+	out, _, err := runContainer(config, "", "/bin/sh", "-c", "ls / -l")
+	if err != nil {
+		t.Fatal(err)
+	}
+	fmt.Println(out)
+}
@@ -0,0 +1,133 @@
+package seccomp
+
+import (
+	"errors"
+	"fmt"
+	"syscall"
+	"unsafe"
+)
+
+type sockFilter struct {
+	code uint16
+	jt   uint8
+	jf   uint8
+	k    uint32
+}
+
+type sockFprog struct {
+	len  uint16
+	filt []sockFilter
+}
+
+type Action struct {
+	syscall uint32
+	action  int
+	args    []string
+}
+
+type ScmpCtx struct {
+	CallMap map[string]Action
+	act     int
+}
+
+var ScmpActAllow = 0
+
+func ScmpInit(action int) (*ScmpCtx, error) {
+	ctx := ScmpCtx{
+		CallMap: make(map[string]Action),
+		act:     action,
+	}
+	return &ctx, nil
+}
+
+func ScmpAdd(ctx *ScmpCtx, call string, action int, args ...string) error {
+	_, exists := ctx.CallMap[call]
+	if exists {
+		return errors.New("syscall exist")
+	}
+
+	//fmt.Printf("%s\n", call)
+
+	sysCall, sysExists := SyscallMap[call]
+	if sysExists {
+		ctx.CallMap[call] = Action{sysCall, action, args}
+		return nil
+	}
+	return errors.New("syscall not surport")
+}
+
+func ScmpDel(ctx *ScmpCtx, call string) error {
+	_, exists := ctx.CallMap[call]
+	if exists {
+		delete(ctx.CallMap, call)
+		return nil
+	}
+
+	return errors.New("syscall not exist")
+}
+
+func ScmpBpfStmt(code uint16, k uint32) sockFilter {
+	return sockFilter{code, 0, 0, k}
+}
+
+func ScmpBpfJump(code uint16, k uint32, jt, jf uint8) sockFilter {
+	return sockFilter{code, jt, jf, k}
+}
+
+func prctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error) {
+	_, _, e1 := syscall.Syscall6(syscall.SYS_PRCTL, uintptr(option), arg2, arg3, arg4, arg5, 0)
+	if e1 != 0 {
+		err = e1
+	}
+	return nil
+}
+
+func scmpfilter(prog *sockFprog) (err error) {
+	_, _, e1 := syscall.Syscall(syscall.SYS_PRCTL, uintptr(syscall.PR_SET_SECCOMP),
+		uintptr(SECCOMP_MODE_FILTER), uintptr(unsafe.Pointer(prog)))
+	if e1 != 0 {
+		err = e1
+	}
+	return nil
+}
+
+func ScmpLoad(ctx *ScmpCtx) error {
+	for key := range SyscallMapMin {
+		ScmpAdd(ctx, key, ScmpActAllow)
+	}
+
+	num := len(ctx.CallMap)
+	filter := make([]sockFilter, num*2+3)
+
+	i := 0
+	filter[i] = ScmpBpfStmt(syscall.BPF_LD+syscall.BPF_W+syscall.BPF_ABS, 0)
+	i++
+
+	for _, value := range ctx.CallMap {
+		filter[i] = ScmpBpfJump(syscall.BPF_JMP+syscall.BPF_JEQ+syscall.BPF_K, value.syscall, 0, 1)
+		i++
+		filter[i] = ScmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, SECCOMP_RET_ALLOW)
+		i++
+	}
+
+	filter[i] = ScmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, SECCOMP_RET_TRAP)
+	i++
+	filter[i] = ScmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, SECCOMP_RET_KILL)
+	i++
+
+	prog := sockFprog{
+		len:  uint16(i),
+		filt: filter,
+	}
+
+	if nil != prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) {
+		fmt.Println("prctl PR_SET_NO_NEW_PRIVS error")
+		return errors.New("prctl PR_SET_NO_NEW_PRIVS error")
+	}
+
+	if nil != scmpfilter(&prog) {
+		fmt.Println("scmpfilter error")
+		return errors.New("scmpfilter error")
+	}
+	return nil
+}