Merge pull request #657 from GrantSeltzer/improve-seccomp-spec

config: Improve seccomp format to be more expressive

Author: Mrunal Patel

config-linux.md

@@ -538,12 +538,17 @@ Operator Constants:
    "seccomp": {
        "defaultAction": "SCMP_ACT_ALLOW",
        "architectures": [
-           "SCMP_ARCH_X86"
+           "SCMP_ARCH_X86",
+           "SCMP_ARCH_X32"
        ],
        "syscalls": [
            {
-               "name": "getcwd",
-               "action": "SCMP_ACT_ERRNO"
+               "names": [
+                   "getcwd",
+                   "chmod"
+               ],
+               "action": "SCMP_ACT_ERRNO",
+               "comment": "stop exploit x"
            }
        ]
    }

config.md

@@ -762,12 +762,17 @@ Here is a full example `config.json` for reference.
         "seccomp": {
             "defaultAction": "SCMP_ACT_ALLOW",
             "architectures": [
-                "SCMP_ARCH_X86"
+                "SCMP_ARCH_X86",
+                "SCMP_ARCH_X32"
             ],
             "syscalls": [
                 {
-                    "name": "getcwd",
-                    "action": "SCMP_ACT_ERRNO"
+                    "names": [
+                        "getcwd",
+                        "chmod"
+                    ],
+                    "action": "SCMP_ACT_ERRNO",
+                    "comment": "stop exploit x"
                 }
             ]
         },

schema/defs-linux.json

@@ -63,8 +63,10 @@
         "Syscall": {
             "type": "object",
             "properties": {
-                "name": {
-                    "type": "string"
+                "names": {
+                    "type": [
+                        "string"
+                    ]
                 },
                 "action": {
                     "$ref": "#/definitions/SeccompAction"

specs-go/config.go

@@ -380,13 +380,6 @@ type LinuxDeviceCgroup struct {
 	Access string `json:"access,omitempty"`
 }
 
-// LinuxSeccomp represents syscall restrictions
-type LinuxSeccomp struct {
-	DefaultAction LinuxSeccompAction `json:"defaultAction"`
-	Architectures []Arch             `json:"architectures"`
-	Syscalls      []LinuxSyscall     `json:"syscalls,omitempty"`
-}
-
 // Solaris contains platform specific configuration for Solaris application containers.
 type Solaris struct {
 	// SMF FMRI which should go "online" before we start the container process.
@@ -484,6 +477,13 @@ type WindowsNetworkResources struct {
 	EgressBandwidth *uint64 `json:"egressBandwidth,omitempty"`
 }
 
+// LinuxSeccomp represents syscall restrictions
+type LinuxSeccomp struct {
+	DefaultAction LinuxSeccompAction `json:"defaultAction"`
+	Architectures []Arch             `json:"architectures,omitempty"`
+	Syscalls      []LinuxSyscall     `json:"syscalls"`
+}
+
 // Arch used for additional architectures
 type Arch string
 
@@ -544,7 +544,8 @@ type LinuxSeccompArg struct {
 
 // LinuxSyscall is used to match a syscall in Seccomp
 type LinuxSyscall struct {
-	Name   string             `json:"name"`
-	Action LinuxSeccompAction `json:"action"`
-	Args   []LinuxSeccompArg  `json:"args,omitempty"`
+	Names   []string           `json:"names"`
+	Action  LinuxSeccompAction `json:"action"`
+	Args    []LinuxSeccompArg  `json:"args"`
+	Comment string             `json:"comment"`
 }