예제 #1
0
func parseSeccompSyscall(s string) (rspec.Syscall, error) {
	syscall := strings.Split(s, ":")
	if len(syscall) != 3 {
		return rspec.Syscall{}, fmt.Errorf("seccomp sysctl must consist of 3 parameters")
	}
	name := syscall[0]
	if err := checkSeccompSyscallAction(syscall[1]); err != nil {
		return rspec.Syscall{}, err
	}
	action := rspec.Action(syscall[1])

	var Args []rspec.Arg
	if strings.EqualFold(syscall[2], "") {
		Args = nil
	} else {
		argsslice := strings.Split(syscall[2], ",")
		for _, argsstru := range argsslice {
			args := strings.Split(argsstru, "/")
			if len(args) == 4 {
				index, err := strconv.Atoi(args[0])
				value, err := strconv.Atoi(args[1])
				value2, err := strconv.Atoi(args[2])
				if err != nil {
					return rspec.Syscall{}, err
				}
				if err := checkSeccompSyscallArg(args[3]); err != nil {
					return rspec.Syscall{}, err
				}
				op := rspec.Operator(args[3])
				Arg := rspec.Arg{
					Index:    uint(index),
					Value:    uint64(value),
					ValueTwo: uint64(value2),
					Op:       op,
				}
				Args = append(Args, Arg)
			} else {
				return rspec.Syscall{}, fmt.Errorf("seccomp-sysctl args error: %s", argsstru)
			}
		}
	}

	return rspec.Syscall{
		Name:   name,
		Action: action,
		Args:   Args,
	}, nil
}
예제 #2
0
// SetLinuxSeccompDefault sets g.spec.Linux.Seccomp.DefaultAction.
func (g *Generator) SetLinuxSeccompDefault(sdefault string) error {
	switch sdefault {
	case "":
	case "SCMP_ACT_KILL":
	case "SCMP_ACT_TRAP":
	case "SCMP_ACT_ERRNO":
	case "SCMP_ACT_TRACE":
	case "SCMP_ACT_ALLOW":
	default:
		return fmt.Errorf("seccomp-default must be empty or one of " +
			"SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|SCMP_ACT_TRACE|" +
			"SCMP_ACT_ALLOW")
	}

	g.initSpecLinuxSeccomp()
	g.spec.Linux.Seccomp.DefaultAction = rspec.Action(sdefault)
	return nil
}