func parseSeccompSyscall(s string) (rspec.Syscall, error) {
syscall := strings.Split(s, ":")
if len(syscall) != 3 {
return rspec.Syscall{}, fmt.Errorf("seccomp sysctl must consist of 3 parameters")
}
name := syscall[0]
if err := checkSeccompSyscallAction(syscall[1]); err != nil {
return rspec.Syscall{}, err
}
action := rspec.Action(syscall[1])
var Args []rspec.Arg
if strings.EqualFold(syscall[2], "") {
Args = nil
} else {
argsslice := strings.Split(syscall[2], ",")
for _, argsstru := range argsslice {
args := strings.Split(argsstru, "/")
if len(args) == 4 {
index, err := strconv.Atoi(args[0])
value, err := strconv.Atoi(args[1])
value2, err := strconv.Atoi(args[2])
if err != nil {
return rspec.Syscall{}, err
}
if err := checkSeccompSyscallArg(args[3]); err != nil {
return rspec.Syscall{}, err
}
op := rspec.Operator(args[3])
Arg := rspec.Arg{
Index: uint(index),
Value: uint64(value),
ValueTwo: uint64(value2),
Op: op,
}
Args = append(Args, Arg)
} else {
return rspec.Syscall{}, fmt.Errorf("seccomp-sysctl args error: %s", argsstru)
}
}
}
return rspec.Syscall{
Name: name,
Action: action,
Args: Args,
}, nil
}
// SetLinuxSeccompDefault sets g.spec.Linux.Seccomp.DefaultAction.
func (g *Generator) SetLinuxSeccompDefault(sdefault string) error {
switch sdefault {
case "":
case "SCMP_ACT_KILL":
case "SCMP_ACT_TRAP":
case "SCMP_ACT_ERRNO":
case "SCMP_ACT_TRACE":
case "SCMP_ACT_ALLOW":
default:
return fmt.Errorf("seccomp-default must be empty or one of " +
"SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|SCMP_ACT_TRACE|" +
"SCMP_ACT_ALLOW")
}
g.initSpecLinuxSeccomp()
g.spec.Linux.Seccomp.DefaultAction = rspec.Action(sdefault)
return nil
}