1- // +build linux
1+ //go:generate go run -tags 'seccomp' generate.go
22
33package seccomp // import "github.com/docker/docker/profiles/seccomp"
44
55import (
66 "encoding/json"
77 "errors"
88 "fmt"
9+ "runtime"
910
1011 "github.com/docker/docker/api/types"
1112 "github.com/docker/docker/pkg/parsers/kernel"
1213 specs "github.com/opencontainers/runtime-spec/specs-go"
13- libseccomp "github.com/seccomp/libseccomp-golang"
1414)
1515
16- //go:generate go run -tags 'seccomp' generate.go
17-
1816// GetDefaultProfile returns the default seccomp profile.
1917func GetDefaultProfile (rs * specs.Spec ) (* specs.LinuxSeccomp , error ) {
2018 return setupSeccomp (DefaultProfile (), rs )
@@ -29,16 +27,42 @@ func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
2927 return setupSeccomp (& config , rs )
3028}
3129
30+ // libseccomp string => seccomp arch
3231var nativeToSeccomp = map [string ]types.Arch {
32+ "x86" : types .ArchX86 ,
3333 "amd64" : types .ArchX86_64 ,
34+ "arm" : types .ArchARM ,
3435 "arm64" : types .ArchAARCH64 ,
3536 "mips64" : types .ArchMIPS64 ,
3637 "mips64n32" : types .ArchMIPS64N32 ,
3738 "mipsel64" : types .ArchMIPSEL64 ,
38- "mipsel64n32" : types .ArchMIPSEL64N32 ,
39+ "mips3l64n32" : types .ArchMIPSEL64N32 ,
40+ "mipsle" : types .ArchMIPSEL ,
41+ "ppc" : types .ArchPPC ,
42+ "ppc64" : types .ArchPPC64 ,
43+ "ppc64le" : types .ArchPPC64LE ,
44+ "s390" : types .ArchS390 ,
3945 "s390x" : types .ArchS390X ,
4046}
4147
48+ // GOARCH => libseccomp string
49+ var goToNative = map [string ]string {
50+ "386" : "x86" ,
51+ "amd64" : "amd64" ,
52+ "arm" : "arm" ,
53+ "arm64" : "arm64" ,
54+ "mips64" : "mips64" ,
55+ "mips64p32" : "mips64n32" ,
56+ "mips64le" : "mipsel64" ,
57+ "mips64p32le" : "mips3l64n32" ,
58+ "mipsle" : "mipsel" ,
59+ "ppc" : "ppc" ,
60+ "ppc64" : "ppc64" ,
61+ "ppc64le" : "ppc64le" ,
62+ "s390" : "s390" ,
63+ "s390x" : "s390x" ,
64+ }
65+
4266// inSlice tests whether a string is contained in a slice of strings or not.
4367// Comparison is case sensitive
4468func inSlice (slice []string , s string ) bool {
@@ -62,12 +86,6 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e
6286
6387 newConfig := & specs.LinuxSeccomp {}
6488
65- var arch string
66- var native , err = libseccomp .GetNativeArch ()
67- if err == nil {
68- arch = native .String ()
69- }
70-
7189 if len (config .Architectures ) != 0 && len (config .ArchMap ) != 0 {
7290 return nil , errors .New ("'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'" )
7391 }
@@ -79,17 +97,17 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e
7997 }
8098 }
8199
82- if len (config .ArchMap ) != 0 {
100+ arch := goToNative [runtime .GOARCH ]
101+ seccompArch , archExists := nativeToSeccomp [arch ]
102+
103+ if len (config .ArchMap ) != 0 && archExists {
83104 for _ , a := range config .ArchMap {
84- seccompArch , ok := nativeToSeccomp [arch ]
85- if ok {
86- if a .Arch == seccompArch {
87- newConfig .Architectures = append (newConfig .Architectures , specs .Arch (a .Arch ))
88- for _ , sa := range a .SubArches {
89- newConfig .Architectures = append (newConfig .Architectures , specs .Arch (sa ))
90- }
91- break
105+ if a .Arch == seccompArch {
106+ newConfig .Architectures = append (newConfig .Architectures , specs .Arch (a .Arch ))
107+ for _ , sa := range a .SubArches {
108+ newConfig .Architectures = append (newConfig .Architectures , specs .Arch (sa ))
92109 }
110+ break
93111 }
94112 }
95113 }
0 commit comments