Improve seccomp API

Signed-off-by: Michael Crosby <[email protected]>

Conflicts:
	configs/config.go
	container_linux.go
	seccomp/seccomp.go
	seccomp/seccomp.test

Author: crosbymichael

Makefile

@@ -18,8 +18,6 @@ direct-test-short:
 	go test $(TEST_TAGS) -cover -test.short -v $(GO_PACKAGES)
 
 direct-build:
-	chmod 755 hack/seccomp.sh
-	hack/seccomp.sh
 	go build -v $(GO_PACKAGES)
 
 direct-install:

configs/config.go

@@ -13,8 +13,38 @@ type IDMap struct {
 	Size        int `json:"size"`
 }
 
-type SeccompConf struct {
-	SysCalls []int `json:"syscalls"`
+type Seccomp struct {
+	Syscalls []*Syscall `json:"syscalls"`
+}
+
+type Action int
+
+const (
+	Kill Action = iota - 3
+	Trap
+	Allow
+)
+
+type Operator int
+
+const (
+	EqualTo Operator = iota
+	NotEqualTo
+	GreatherThan
+	LessThan
+	MaskEqualTo
+)
+
+type Arg struct {
+	Index int      `json:"index"`
+	Value uint32   `json:"value"`
+	Op    Operator `json:"op"`
+}
+
+type Syscall struct {
+	Value  int    `json:"value"`
+	Action Action `json:"action"`
+	Args   []*Arg `json:"args"`
 }
 
 // TODO Windows. Many of these fields should be factored out into those parts
@@ -109,6 +139,8 @@ type Config struct {
 	// sysctl -w my.property.name value in Linux.
 	SystemProperties map[string]string `json:"system_properties"`
 
-	// SysCalls specify the system calls to keep when executing the process inside the container
-	Seccomps SeccompConf `json:"seccomp"`
+	// Seccomp allows actions to be taken whenever a syscall is made within the container.
+	// By default, all syscalls are allowed with actions to allow, trap, kill, or return an errno
+	// can be specified on a per syscall basis.
+	Seccomp *Seccomp `json:"seccomp"`
 }

configs/namespaces_syscall.go

@@ -4,22 +4,17 @@ package configs
 
 import "syscall"
 
-var (
-	CLONE_SECCOMP = 0x10000 //diffrent from other flag, hard code
-)
-
 func (n *Namespace) Syscall() int {
 	return namespaceInfo[n.Type]
 }
 
 var namespaceInfo = map[NamespaceType]int{
-	NEWNET:     syscall.CLONE_NEWNET,
-	NEWNS:      syscall.CLONE_NEWNS,
-	NEWUSER:    syscall.CLONE_NEWUSER,
-	NEWIPC:     syscall.CLONE_NEWIPC,
-	NEWUTS:     syscall.CLONE_NEWUTS,
-	NEWPID:     syscall.CLONE_NEWPID,
-	NEWSECCOMP: CLONE_SECCOMP,
+	NEWNET:  syscall.CLONE_NEWNET,
+	NEWNS:   syscall.CLONE_NEWNS,
+	NEWUSER: syscall.CLONE_NEWUSER,
+	NEWIPC:  syscall.CLONE_NEWIPC,
+	NEWUTS:  syscall.CLONE_NEWUTS,
+	NEWPID:  syscall.CLONE_NEWPID,
 }
 
 // CloneFlags parses the container's Namespaces options to set the correct

configs/namespaces_unix.go

@@ -5,13 +5,12 @@ package configs
 import "fmt"
 
 const (
-	NEWNET     NamespaceType = "NEWNET"
-	NEWPID     NamespaceType = "NEWPID"
-	NEWNS      NamespaceType = "NEWNS"
-	NEWUTS     NamespaceType = "NEWUTS"
-	NEWIPC     NamespaceType = "NEWIPC"
-	NEWUSER    NamespaceType = "NEWUSER"
-	NEWSECCOMP NamespaceType = "NEWSECCOMP"
+	NEWNET  NamespaceType = "NEWNET"
+	NEWPID  NamespaceType = "NEWPID"
+	NEWNS   NamespaceType = "NEWNS"
+	NEWUTS  NamespaceType = "NEWUTS"
+	NEWIPC  NamespaceType = "NEWIPC"
+	NEWUSER NamespaceType = "NEWUSER"
 )
 
 func NamespaceTypes() []NamespaceType {

container_linux.go

@@ -169,13 +169,6 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c
 			cmd.SysProcAttr.Credential = &syscall.Credential{}
 		}
 	}
-	if cloneFlags&uintptr(configs.CLONE_SECCOMP) != 0 {
-		//os don't surport for CLONE_SECCOMP, remote it
-		c.config.Namespaces.Remove(configs.NEWSECCOMP)
-		cloneFlags = c.config.Namespaces.CloneFlags()
-	} else {
-		c.config.Seccomps.SysCalls = []int{}
-	}
 	cmd.Env = append(cmd.Env, t)
 	cmd.SysProcAttr.Cloneflags = cloneFlags
 	return &initProcess{