예제 #1
0
func addSeccompSyscalls(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec, context *cli.Context) error {
	for _, syscalls := range context.StringSlice("seccomp-syscalls") {
		syscall := strings.Split(syscalls, ":")
		if len(syscall) == 3 {
			name := syscall[0]
			switch syscall[1] {
			case "":
			case "SCMP_ACT_KILL":
			case "SCMP_ACT_TRAP":
			case "SCMP_ACT_ERRNO":
			case "SCMP_ACT_TRACE":
			case "SCMP_ACT_ALLOW":
			default:
				return fmt.Errorf("seccomp-sysctl action must be empty or one of SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|SCMP_ACT_TRACE|SCMP_ACT_ALLOW")
			}
			action := specs.Action(syscall[1])
			var Args []*specs.Arg
			if strings.EqualFold(syscall[2], "") {
				Args = nil
			} else {

				argsslice := strings.Split(syscall[2], ",")
				for _, argsstru := range argsslice {
					args := strings.Split(argsstru, "/")
					if len(args) == 4 {
						index, err := strconv.Atoi(args[0])
						value, err := strconv.Atoi(args[1])
						value2, err := strconv.Atoi(args[2])
						if err != nil {
							return err
						}
						switch args[3] {
						case "":
						case "SCMP_CMP_NE":
						case "SCMP_CMP_LT":
						case "SCMP_CMP_LE":
						case "SCMP_CMP_EQ":
						case "SCMP_CMP_GE":
						case "SCMP_CMP_GT":
						case "SCMP_CMP_MASKED_EQ":
						default:
							return fmt.Errorf("seccomp-sysctl args must be empty or one of SCMP_CMP_NE|SCMP_CMP_LT|SCMP_CMP_LE|SCMP_CMP_EQ|SCMP_CMP_GE|SCMP_CMP_GT|SCMP_CMP_MASKED_EQ")
						}
						op := specs.Operator(args[3])
						Arg := specs.Arg{uint(index), uint64(value), uint64(value2), op}
						Args = append(Args, &Arg)
					} else {
						return fmt.Errorf("seccomp-sysctl args error: %s", argsstru)
					}
				}
			}
			syscallstruct := specs.Syscall{name, action, Args}
			rspec.Linux.Seccomp.Syscalls = append(rspec.Linux.Seccomp.Syscalls, &syscallstruct)
		} else {
			return fmt.Errorf("seccomp sysctl must consits 3 parameters")
		}
	}
	return nil
}
예제 #2
0
func parseArgs(args2parse string) ([]*specs.Arg, error) {
	var Args []*specs.Arg
	argstrslice := strings.Split(args2parse, ",")
	for _, argstr := range argstrslice {
		args := strings.Split(argstr, "/")
		if len(args) == 4 {
			index, err := strconv.Atoi(args[0])
			value, err := strconv.Atoi(args[1])
			value2, err := strconv.Atoi(args[2])
			if err != nil {
				return nil, err
			}
			switch args[3] {
			case "":
			case "SCMP_CMP_NE":
			case "SCMP_CMP_LT":
			case "SCMP_CMP_LE":
			case "SCMP_CMP_EQ":
			case "SCMP_CMP_GE":
			case "SCMP_CMP_GT":
			case "SCMP_CMP_MASKED_EQ":
			default:
				return nil, fmt.Errorf("seccomp-sysctl args must be empty or one of SCMP_CMP_NE|SCMP_CMP_LT|SCMP_CMP_LE|SCMP_CMP_EQ|SCMP_CMP_GE|SCMP_CMP_GT|SCMP_CMP_MASKED_EQ")
			}
			op := specs.Operator(args[3])
			Arg := specs.Arg{
				Index:    uint(index),
				Value:    uint64(value),
				ValueTwo: uint64(value2),
				Op:       op,
			}
			Args = append(Args, &Arg)
		} else {
			return nil, fmt.Errorf("seccomp-sysctl args error: %s", argstr)
		}
	}
	return Args, nil
}
예제 #3
0
func addSeccompSyscall(spec *specs.LinuxSpec, sSyscall []string) error {
	for _, syscalls := range sSyscall {
		syscall := strings.Split(syscalls, ":")
		if len(syscall) == 3 {
			name := syscall[0]
			switch syscall[1] {
			case "":
			case "SCMP_ACT_KILL":
			case "SCMP_ACT_TRAP":
			case "SCMP_ACT_ERRNO":
			case "SCMP_ACT_TRACE":
			case "SCMP_ACT_ALLOW":
			default:
				return fmt.Errorf("seccomp-syscall action must be empty or " +
					"one of SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|" +
					"SCMP_ACT_TRACE|SCMP_ACT_ALLOW")
			}
			action := specs.Action(syscall[1])

			var Args []specs.Arg
			if strings.EqualFold(syscall[2], "") {
				Args = nil
			} else {

				argsslice := strings.Split(syscall[2], ",")
				for _, argsstru := range argsslice {
					args := strings.Split(argsstru, "/")
					if len(args) == 4 {
						index, err := strconv.Atoi(args[0])
						value, err := strconv.Atoi(args[1])
						value2, err := strconv.Atoi(args[2])
						if err != nil {
							return err
						}
						switch args[3] {
						case "":
						case "SCMP_CMP_NE":
						case "SCMP_CMP_LT":
						case "SCMP_CMP_LE":
						case "SCMP_CMP_EQ":
						case "SCMP_CMP_GE":
						case "SCMP_CMP_GT":
						case "SCMP_CMP_MASKED_EQ":
						default:
							return fmt.Errorf("seccomp-syscall args must be " +
								"empty or one of SCMP_CMP_NE|SCMP_CMP_LT|" +
								"SCMP_CMP_LE|SCMP_CMP_EQ|SCMP_CMP_GE|" +
								"SCMP_CMP_GT|SCMP_CMP_MASKED_EQ")
						}
						op := specs.Operator(args[3])
						Arg := specs.Arg{
							Index:    uint(index),
							Value:    uint64(value),
							ValueTwo: uint64(value2),
							Op:       op,
						}
						Args = append(Args, Arg)
					} else {
						return fmt.Errorf("seccomp-sysctl args error: %s", argsstru)
					}
				}
			}

			syscallstruct := specs.Syscall{
				Name:   name,
				Action: action,
				Args:   Args,
			}
			spec.Linux.Seccomp.Syscalls = append(spec.Linux.Seccomp.Syscalls, syscallstruct)
		} else {
			return fmt.Errorf("seccomp sysctl must consist of 3 parameters")
		}
	}

	return nil
}