move default seccomp profile into package

jessfraz · jessfraz · commit bed0bb7d017b · 2016-01-21T16:55:29.000-08:00
Signed-off-by: Jessica Frazelle &lt;acidburn@docker.com&gt;
diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go
@@ -11,6 +11,7 @@ import (
 	"github.com/docker/docker/daemon/execdriver"
 	derr "github.com/docker/docker/errors"
 	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/profiles/seccomp"
 
 	"github.com/docker/docker/volume"
 	"github.com/opencontainers/runc/libcontainer/apparmor"
@@ -71,7 +72,7 @@ func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks)
 		}
 
 		if c.SeccompProfile == "" {
-			container.Seccomp = getDefaultSeccompProfile()
+			container.Seccomp = seccomp.GetDefaultProfile()
 		}
 	}
 	// add CAP_ prefix to all caps for new libcontainer update to match
@@ -88,7 +89,7 @@ func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks)
 	}
 
 	if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
-		container.Seccomp, err = loadSeccompProfile(c.SeccompProfile)
+		container.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile)
 		if err != nil {
 			return nil, err
 		}
diff --git a/profiles/seccomp/fixtures/example.json b/profiles/seccomp/fixtures/example.json
@@ -0,0 +1,27 @@
+{
+    "defaultAction": "SCMP_ACT_ERRNO",
+    "syscalls": [
+        {
+            "name": "clone",
+            "action": "SCMP_ACT_ALLOW",
+            "args": [
+                {
+                    "index": 0,
+                    "value": 2080505856,
+                    "valueTwo": 0,
+                    "op": "SCMP_CMP_MASKED_EQ"
+                }
+            ]
+        },
+        {
+            "name": "open",
+            "action": "SCMP_ACT_ALLOW",
+            "args": []
+        },
+        {
+            "name": "close",
+            "action": "SCMP_ACT_ALLOW",
+            "args": []
+        }
+    ]
+}
diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go
@@ -1,6 +1,6 @@
 // +build linux
 
-package native
+package seccomp
 
 import (
 	"encoding/json"
@@ -11,11 +11,13 @@ import (
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 )
 
-func getDefaultSeccompProfile() *configs.Seccomp {
+// GetDefaultProfile returns the default seccomp profile.
+func GetDefaultProfile() *configs.Seccomp {
 	return defaultSeccompProfile
 }
 
-func loadSeccompProfile(body string) (*configs.Seccomp, error) {
+// LoadProfile takes a file path a decodes the seccomp profile.
+func LoadProfile(body string) (*configs.Seccomp, error) {
 	var config types.Seccomp
 	if err := json.Unmarshal([]byte(body), &config); err != nil {
 		return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
@@ -1,6 +1,6 @@
 // +build linux,seccomp
 
-package native
+package seccomp
 
 import (
 	"syscall"
diff --git a/profiles/seccomp/seccomp_test.go b/profiles/seccomp/seccomp_test.go
@@ -0,0 +1,19 @@
+// +build linux
+
+package seccomp
+
+import (
+	"io/ioutil"
+	"testing"
+)
+
+func TestLoadProfile(t *testing.T) {
+	f, err := ioutil.ReadFile("fixtures/example.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := LoadProfile(string(f)); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/profiles/seccomp/seccomp_unsupported.go b/profiles/seccomp/seccomp_unsupported.go
@@ -1,6 +1,6 @@
 // +build linux,!seccomp
 
-package native
+package seccomp
 
 import "github.com/opencontainers/runc/libcontainer/configs"
 

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ import (`
`11`	`11`	`"github.com/docker/docker/daemon/execdriver"`
`12`	`12`	`derr "github.com/docker/docker/errors"`
`13`	`13`	`"github.com/docker/docker/pkg/mount"`
	`14`	`+ "github.com/docker/docker/profiles/seccomp"`
`14`	`15`
`15`	`16`	`"github.com/docker/docker/volume"`
`16`	`17`	`"github.com/opencontainers/runc/libcontainer/apparmor"`
`@@ -71,7 +72,7 @@ func (d Driver) createContainer(c execdriver.Command, hooks execdriver.Hooks)`
`71`	`72`	`}`
`72`	`73`
`73`	`74`	`if c.SeccompProfile == "" {`
`74`		`- container.Seccomp = getDefaultSeccompProfile()`
	`75`	`+ container.Seccomp = seccomp.GetDefaultProfile()`
`75`	`76`	`}`
`76`	`77`	`}`
`77`	`78`	`// add CAP_ prefix to all caps for new libcontainer update to match`
`@@ -88,7 +89,7 @@ func (d Driver) createContainer(c execdriver.Command, hooks execdriver.Hooks)`
`88`	`89`	`}`
`89`	`90`
`90`	`91`	`if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {`
`91`		`- container.Seccomp, err = loadSeccompProfile(c.SeccompProfile)`
	`92`	`+ container.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile)`
`92`	`93`	`if err != nil {`
`93`	`94`	`return nil, err`
`94`	`95`	`}`