func addSeccompSyscalls(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec, context *cli.Context) error {
for _, syscalls := range context.StringSlice("seccomp-syscalls") {
syscall := strings.Split(syscalls, ":")
if len(syscall) == 3 {
name := syscall[0]
switch syscall[1] {
case "":
case "SCMP_ACT_KILL":
case "SCMP_ACT_TRAP":
case "SCMP_ACT_ERRNO":
case "SCMP_ACT_TRACE":
case "SCMP_ACT_ALLOW":
default:
return fmt.Errorf("seccomp-sysctl action must be empty or one of SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|SCMP_ACT_TRACE|SCMP_ACT_ALLOW")
}
action := specs.Action(syscall[1])
var Args []*specs.Arg
if strings.EqualFold(syscall[2], "") {
Args = nil
} else {
argsslice := strings.Split(syscall[2], ",")
for _, argsstru := range argsslice {
args := strings.Split(argsstru, "/")
if len(args) == 4 {
index, err := strconv.Atoi(args[0])
value, err := strconv.Atoi(args[1])
value2, err := strconv.Atoi(args[2])
if err != nil {
return err
}
switch args[3] {
case "":
case "SCMP_CMP_NE":
case "SCMP_CMP_LT":
case "SCMP_CMP_LE":
case "SCMP_CMP_EQ":
case "SCMP_CMP_GE":
case "SCMP_CMP_GT":
case "SCMP_CMP_MASKED_EQ":
default:
return fmt.Errorf("seccomp-sysctl args must be empty or one of SCMP_CMP_NE|SCMP_CMP_LT|SCMP_CMP_LE|SCMP_CMP_EQ|SCMP_CMP_GE|SCMP_CMP_GT|SCMP_CMP_MASKED_EQ")
}
op := specs.Operator(args[3])
Arg := specs.Arg{uint(index), uint64(value), uint64(value2), op}
Args = append(Args, &Arg)
} else {
return fmt.Errorf("seccomp-sysctl args error: %s", argsstru)
}
}
}
syscallstruct := specs.Syscall{name, action, Args}
rspec.Linux.Seccomp.Syscalls = append(rspec.Linux.Seccomp.Syscalls, &syscallstruct)
} else {
return fmt.Errorf("seccomp sysctl must consits 3 parameters")
}
}
return nil
}
func validateSeccomp(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec) error {
if rspec.Linux.Seccomp.DefaultAction == specs.Action("SCMP_ACT_ALLOW") {
for _, syscall := range rspec.Linux.Seccomp.Syscalls {
if strings.EqualFold(syscall.Name, "getcwd") && syscall.Action == specs.Action("SCMP_ACT_ERRNO") {
var stderr bytes.Buffer
cmd := exec.Command("pwd")
cmd.Stderr = &stderr
err := cmd.Run()
stderrinfo := strings.Replace(stderr.String(), "\n", "", -1)
if err == nil {
fmt.Errorf("Expecting error (negative return code);but exited cleanly!")
}
if !strings.EqualFold(stderrinfo, "pwd: getcwd: Operation not permitted") {
return fmt.Errorf("stderr expected: [pwd: getcwd: Operation not permitted], actual:[%v]", stderr.String())
}
}
}
}
return nil
}
func setSeccompDefaultAction(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec, context *cli.Context) error {
sd := context.String("seccomp-default")
switch sd {
case "":
case "SCMP_ACT_KILL":
case "SCMP_ACT_TRAP":
case "SCMP_ACT_ERRNO":
case "SCMP_ACT_TRACE":
case "SCMP_ACT_ALLOW":
default:
return fmt.Errorf("seccomp-default must be empty or one of SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|SCMP_ACT_TRACE|SCMP_ACT_ALLOW")
}
rspec.Linux.Seccomp.DefaultAction = specs.Action(sd)
return nil
}
func addSeccompDefault(spec *specs.LinuxSpec, sdefault string) error {
switch sdefault {
case "":
case "SCMP_ACT_KILL":
case "SCMP_ACT_TRAP":
case "SCMP_ACT_ERRNO":
case "SCMP_ACT_TRACE":
case "SCMP_ACT_ALLOW":
default:
return fmt.Errorf("seccomp-default must be empty or one of " +
"SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|SCMP_ACT_TRACE|" +
"SCMP_ACT_ALLOW")
}
spec.Linux.Seccomp.DefaultAction = specs.Action(sdefault)
return nil
}
func addSeccompSyscall(spec *specs.LinuxSpec, sSyscall []string) error {
for _, syscalls := range sSyscall {
syscall := strings.Split(syscalls, ":")
if len(syscall) == 3 {
name := syscall[0]
switch syscall[1] {
case "":
case "SCMP_ACT_KILL":
case "SCMP_ACT_TRAP":
case "SCMP_ACT_ERRNO":
case "SCMP_ACT_TRACE":
case "SCMP_ACT_ALLOW":
default:
return fmt.Errorf("seccomp-syscall action must be empty or " +
"one of SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|" +
"SCMP_ACT_TRACE|SCMP_ACT_ALLOW")
}
action := specs.Action(syscall[1])
var Args []specs.Arg
if strings.EqualFold(syscall[2], "") {
Args = nil
} else {
argsslice := strings.Split(syscall[2], ",")
for _, argsstru := range argsslice {
args := strings.Split(argsstru, "/")
if len(args) == 4 {
index, err := strconv.Atoi(args[0])
value, err := strconv.Atoi(args[1])
value2, err := strconv.Atoi(args[2])
if err != nil {
return err
}
switch args[3] {
case "":
case "SCMP_CMP_NE":
case "SCMP_CMP_LT":
case "SCMP_CMP_LE":
case "SCMP_CMP_EQ":
case "SCMP_CMP_GE":
case "SCMP_CMP_GT":
case "SCMP_CMP_MASKED_EQ":
default:
return fmt.Errorf("seccomp-syscall args must be " +
"empty or one of SCMP_CMP_NE|SCMP_CMP_LT|" +
"SCMP_CMP_LE|SCMP_CMP_EQ|SCMP_CMP_GE|" +
"SCMP_CMP_GT|SCMP_CMP_MASKED_EQ")
}
op := specs.Operator(args[3])
Arg := specs.Arg{
Index: uint(index),
Value: uint64(value),
ValueTwo: uint64(value2),
Op: op,
}
Args = append(Args, Arg)
} else {
return fmt.Errorf("seccomp-sysctl args error: %s", argsstru)
}
}
}
syscallstruct := specs.Syscall{
Name: name,
Action: action,
Args: Args,
}
spec.Linux.Seccomp.Syscalls = append(spec.Linux.Seccomp.Syscalls, syscallstruct)
} else {
return fmt.Errorf("seccomp sysctl must consist of 3 parameters")
}
}
return nil
}