func addSeccompSyscalls(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec, context *cli.Context) error { for _, syscalls := range context.StringSlice("seccomp-syscalls") { syscall := strings.Split(syscalls, ":") if len(syscall) == 3 { name := syscall[0] switch syscall[1] { case "": case "SCMP_ACT_KILL": case "SCMP_ACT_TRAP": case "SCMP_ACT_ERRNO": case "SCMP_ACT_TRACE": case "SCMP_ACT_ALLOW": default: return fmt.Errorf("seccomp-sysctl action must be empty or one of SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|SCMP_ACT_TRACE|SCMP_ACT_ALLOW") } action := specs.Action(syscall[1]) var Args []*specs.Arg if strings.EqualFold(syscall[2], "") { Args = nil } else { argsslice := strings.Split(syscall[2], ",") for _, argsstru := range argsslice { args := strings.Split(argsstru, "/") if len(args) == 4 { index, err := strconv.Atoi(args[0]) value, err := strconv.Atoi(args[1]) value2, err := strconv.Atoi(args[2]) if err != nil { return err } switch args[3] { case "": case "SCMP_CMP_NE": case "SCMP_CMP_LT": case "SCMP_CMP_LE": case "SCMP_CMP_EQ": case "SCMP_CMP_GE": case "SCMP_CMP_GT": case "SCMP_CMP_MASKED_EQ": default: return fmt.Errorf("seccomp-sysctl args must be empty or one of SCMP_CMP_NE|SCMP_CMP_LT|SCMP_CMP_LE|SCMP_CMP_EQ|SCMP_CMP_GE|SCMP_CMP_GT|SCMP_CMP_MASKED_EQ") } op := specs.Operator(args[3]) Arg := specs.Arg{uint(index), uint64(value), uint64(value2), op} Args = append(Args, &Arg) } else { return fmt.Errorf("seccomp-sysctl args error: %s", argsstru) } } } syscallstruct := specs.Syscall{name, action, Args} rspec.Linux.Seccomp.Syscalls = append(rspec.Linux.Seccomp.Syscalls, &syscallstruct) } else { return fmt.Errorf("seccomp sysctl must consits 3 parameters") } } return nil }
func parseArgs(args2parse string) ([]*specs.Arg, error) { var Args []*specs.Arg argstrslice := strings.Split(args2parse, ",") for _, argstr := range argstrslice { args := strings.Split(argstr, "/") if len(args) == 4 { index, err := strconv.Atoi(args[0]) value, err := strconv.Atoi(args[1]) value2, err := strconv.Atoi(args[2]) if err != nil { return nil, err } switch args[3] { case "": case "SCMP_CMP_NE": case "SCMP_CMP_LT": case "SCMP_CMP_LE": case "SCMP_CMP_EQ": case "SCMP_CMP_GE": case "SCMP_CMP_GT": case "SCMP_CMP_MASKED_EQ": default: return nil, fmt.Errorf("seccomp-sysctl args must be empty or one of SCMP_CMP_NE|SCMP_CMP_LT|SCMP_CMP_LE|SCMP_CMP_EQ|SCMP_CMP_GE|SCMP_CMP_GT|SCMP_CMP_MASKED_EQ") } op := specs.Operator(args[3]) Arg := specs.Arg{ Index: uint(index), Value: uint64(value), ValueTwo: uint64(value2), Op: op, } Args = append(Args, &Arg) } else { return nil, fmt.Errorf("seccomp-sysctl args error: %s", argstr) } } return Args, nil }
func addSeccompSyscall(spec *specs.LinuxSpec, sSyscall []string) error { for _, syscalls := range sSyscall { syscall := strings.Split(syscalls, ":") if len(syscall) == 3 { name := syscall[0] switch syscall[1] { case "": case "SCMP_ACT_KILL": case "SCMP_ACT_TRAP": case "SCMP_ACT_ERRNO": case "SCMP_ACT_TRACE": case "SCMP_ACT_ALLOW": default: return fmt.Errorf("seccomp-syscall action must be empty or " + "one of SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|" + "SCMP_ACT_TRACE|SCMP_ACT_ALLOW") } action := specs.Action(syscall[1]) var Args []specs.Arg if strings.EqualFold(syscall[2], "") { Args = nil } else { argsslice := strings.Split(syscall[2], ",") for _, argsstru := range argsslice { args := strings.Split(argsstru, "/") if len(args) == 4 { index, err := strconv.Atoi(args[0]) value, err := strconv.Atoi(args[1]) value2, err := strconv.Atoi(args[2]) if err != nil { return err } switch args[3] { case "": case "SCMP_CMP_NE": case "SCMP_CMP_LT": case "SCMP_CMP_LE": case "SCMP_CMP_EQ": case "SCMP_CMP_GE": case "SCMP_CMP_GT": case "SCMP_CMP_MASKED_EQ": default: return fmt.Errorf("seccomp-syscall args must be " + "empty or one of SCMP_CMP_NE|SCMP_CMP_LT|" + "SCMP_CMP_LE|SCMP_CMP_EQ|SCMP_CMP_GE|" + "SCMP_CMP_GT|SCMP_CMP_MASKED_EQ") } op := specs.Operator(args[3]) Arg := specs.Arg{ Index: uint(index), Value: uint64(value), ValueTwo: uint64(value2), Op: op, } Args = append(Args, Arg) } else { return fmt.Errorf("seccomp-sysctl args error: %s", argsstru) } } } syscallstruct := specs.Syscall{ Name: name, Action: action, Args: Args, } spec.Linux.Seccomp.Syscalls = append(spec.Linux.Seccomp.Syscalls, syscallstruct) } else { return fmt.Errorf("seccomp sysctl must consist of 3 parameters") } } return nil }