func addSeccompSyscalls(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec, context *cli.Context) error {
	for _, syscalls := range context.StringSlice("seccomp-syscalls") {
		syscall := strings.Split(syscalls, ":")
		if len(syscall) == 3 {
			name := syscall[0]
			switch syscall[1] {
			case "":
			case "SCMP_ACT_KILL":
			case "SCMP_ACT_TRAP":
			case "SCMP_ACT_ERRNO":
			case "SCMP_ACT_TRACE":
			case "SCMP_ACT_ALLOW":
			default:
				return fmt.Errorf("seccomp-sysctl action must be empty or one of SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|SCMP_ACT_TRACE|SCMP_ACT_ALLOW")
			}
			action := specs.Action(syscall[1])
			var Args []*specs.Arg
			if strings.EqualFold(syscall[2], "") {
				Args = nil
			} else {

				argsslice := strings.Split(syscall[2], ",")
				for _, argsstru := range argsslice {
					args := strings.Split(argsstru, "/")
					if len(args) == 4 {
						index, err := strconv.Atoi(args[0])
						value, err := strconv.Atoi(args[1])
						value2, err := strconv.Atoi(args[2])
						if err != nil {
							return err
						}
						switch args[3] {
						case "":
						case "SCMP_CMP_NE":
						case "SCMP_CMP_LT":
						case "SCMP_CMP_LE":
						case "SCMP_CMP_EQ":
						case "SCMP_CMP_GE":
						case "SCMP_CMP_GT":
						case "SCMP_CMP_MASKED_EQ":
						default:
							return fmt.Errorf("seccomp-sysctl args must be empty or one of SCMP_CMP_NE|SCMP_CMP_LT|SCMP_CMP_LE|SCMP_CMP_EQ|SCMP_CMP_GE|SCMP_CMP_GT|SCMP_CMP_MASKED_EQ")
						}
						op := specs.Operator(args[3])
						Arg := specs.Arg{uint(index), uint64(value), uint64(value2), op}
						Args = append(Args, &Arg)
					} else {
						return fmt.Errorf("seccomp-sysctl args error: %s", argsstru)
					}
				}
			}
			syscallstruct := specs.Syscall{name, action, Args}
			rspec.Linux.Seccomp.Syscalls = append(rspec.Linux.Seccomp.Syscalls, &syscallstruct)
		} else {
			return fmt.Errorf("seccomp sysctl must consits 3 parameters")
		}
	}
	return nil
}
func validateSeccomp(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec) error {
	if rspec.Linux.Seccomp.DefaultAction == specs.Action("SCMP_ACT_ALLOW") {
		for _, syscall := range rspec.Linux.Seccomp.Syscalls {
			if strings.EqualFold(syscall.Name, "getcwd") && syscall.Action == specs.Action("SCMP_ACT_ERRNO") {
				var stderr bytes.Buffer
				cmd := exec.Command("pwd")
				cmd.Stderr = &stderr
				err := cmd.Run()
				stderrinfo := strings.Replace(stderr.String(), "\n", "", -1)
				if err == nil {
					fmt.Errorf("Expecting error (negative return code);but exited cleanly!")
				}
				if !strings.EqualFold(stderrinfo, "pwd: getcwd: Operation not permitted") {
					return fmt.Errorf("stderr expected: [pwd: getcwd: Operation not permitted], actual:[%v]", stderr.String())
				}
			}
		}
	}
	return nil
}
func setSeccompDefaultAction(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec, context *cli.Context) error {
	sd := context.String("seccomp-default")
	switch sd {
	case "":
	case "SCMP_ACT_KILL":
	case "SCMP_ACT_TRAP":
	case "SCMP_ACT_ERRNO":
	case "SCMP_ACT_TRACE":
	case "SCMP_ACT_ALLOW":
	default:
		return fmt.Errorf("seccomp-default must be empty or one of SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|SCMP_ACT_TRACE|SCMP_ACT_ALLOW")
	}
	rspec.Linux.Seccomp.DefaultAction = specs.Action(sd)
	return nil
}
示例#4
0
func addSeccompDefault(spec *specs.LinuxSpec, sdefault string) error {
	switch sdefault {
	case "":
	case "SCMP_ACT_KILL":
	case "SCMP_ACT_TRAP":
	case "SCMP_ACT_ERRNO":
	case "SCMP_ACT_TRACE":
	case "SCMP_ACT_ALLOW":
	default:
		return fmt.Errorf("seccomp-default must be empty or one of " +
			"SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|SCMP_ACT_TRACE|" +
			"SCMP_ACT_ALLOW")
	}
	spec.Linux.Seccomp.DefaultAction = specs.Action(sdefault)
	return nil
}
示例#5
0
func addSeccompSyscall(spec *specs.LinuxSpec, sSyscall []string) error {
	for _, syscalls := range sSyscall {
		syscall := strings.Split(syscalls, ":")
		if len(syscall) == 3 {
			name := syscall[0]
			switch syscall[1] {
			case "":
			case "SCMP_ACT_KILL":
			case "SCMP_ACT_TRAP":
			case "SCMP_ACT_ERRNO":
			case "SCMP_ACT_TRACE":
			case "SCMP_ACT_ALLOW":
			default:
				return fmt.Errorf("seccomp-syscall action must be empty or " +
					"one of SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|" +
					"SCMP_ACT_TRACE|SCMP_ACT_ALLOW")
			}
			action := specs.Action(syscall[1])

			var Args []specs.Arg
			if strings.EqualFold(syscall[2], "") {
				Args = nil
			} else {

				argsslice := strings.Split(syscall[2], ",")
				for _, argsstru := range argsslice {
					args := strings.Split(argsstru, "/")
					if len(args) == 4 {
						index, err := strconv.Atoi(args[0])
						value, err := strconv.Atoi(args[1])
						value2, err := strconv.Atoi(args[2])
						if err != nil {
							return err
						}
						switch args[3] {
						case "":
						case "SCMP_CMP_NE":
						case "SCMP_CMP_LT":
						case "SCMP_CMP_LE":
						case "SCMP_CMP_EQ":
						case "SCMP_CMP_GE":
						case "SCMP_CMP_GT":
						case "SCMP_CMP_MASKED_EQ":
						default:
							return fmt.Errorf("seccomp-syscall args must be " +
								"empty or one of SCMP_CMP_NE|SCMP_CMP_LT|" +
								"SCMP_CMP_LE|SCMP_CMP_EQ|SCMP_CMP_GE|" +
								"SCMP_CMP_GT|SCMP_CMP_MASKED_EQ")
						}
						op := specs.Operator(args[3])
						Arg := specs.Arg{
							Index:    uint(index),
							Value:    uint64(value),
							ValueTwo: uint64(value2),
							Op:       op,
						}
						Args = append(Args, Arg)
					} else {
						return fmt.Errorf("seccomp-sysctl args error: %s", argsstru)
					}
				}
			}

			syscallstruct := specs.Syscall{
				Name:   name,
				Action: action,
				Args:   Args,
			}
			spec.Linux.Seccomp.Syscalls = append(spec.Linux.Seccomp.Syscalls, syscallstruct)
		} else {
			return fmt.Errorf("seccomp sysctl must consist of 3 parameters")
		}
	}

	return nil
}