Initial commit

vendor/github.com/hyperhq/hypercli/profiles/seccomp/fixtures/example.json

@@ -0,0 +1,27 @@
+{
+    "defaultAction": "SCMP_ACT_ERRNO",
+    "syscalls": [
+        {
+            "name": "clone",
+            "action": "SCMP_ACT_ALLOW",
+            "args": [
+                {
+                    "index": 0,
+                    "value": 2080505856,
+                    "valueTwo": 0,
+                    "op": "SCMP_CMP_MASKED_EQ"
+                }
+            ]
+        },
+        {
+            "name": "open",
+            "action": "SCMP_ACT_ALLOW",
+            "args": []
+        },
+        {
+            "name": "close",
+            "action": "SCMP_ACT_ALLOW",
+            "args": []
+        }
+    ]
+}

vendor/github.com/hyperhq/hypercli/profiles/seccomp/seccomp.go

@@ -0,0 +1,94 @@
+// +build linux
+
+package seccomp
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/docker/engine-api/types"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/seccomp"
+)
+
+// GetDefaultProfile returns the default seccomp profile.
+func GetDefaultProfile() *configs.Seccomp {
+	return defaultSeccompProfile
+}
+
+// LoadProfile takes a file path a decodes the seccomp profile.
+func LoadProfile(body string) (*configs.Seccomp, error) {
+	var config types.Seccomp
+	if err := json.Unmarshal([]byte(body), &config); err != nil {
+		return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)
+	}
+
+	return setupSeccomp(&config)
+}
+
+func setupSeccomp(config *types.Seccomp) (newConfig *configs.Seccomp, err error) {
+	if config == nil {
+		return nil, nil
+	}
+
+	// No default action specified, no syscalls listed, assume seccomp disabled
+	if config.DefaultAction == "" && len(config.Syscalls) == 0 {
+		return nil, nil
+	}
+
+	newConfig = new(configs.Seccomp)
+	newConfig.Syscalls = []*configs.Syscall{}
+
+	// if config.Architectures == 0 then libseccomp will figure out the architecture to use
+	if len(config.Architectures) > 0 {
+		newConfig.Architectures = []string{}
+		for _, arch := range config.Architectures {
+			newArch, err := seccomp.ConvertStringToArch(string(arch))
+			if err != nil {
+				return nil, err
+			}
+			newConfig.Architectures = append(newConfig.Architectures, newArch)
+		}
+	}
+
+	// Convert default action from string representation
+	newConfig.DefaultAction, err = seccomp.ConvertStringToAction(string(config.DefaultAction))
+	if err != nil {
+		return nil, err
+	}
+
+	// Loop through all syscall blocks and convert them to libcontainer format
+	for _, call := range config.Syscalls {
+		newAction, err := seccomp.ConvertStringToAction(string(call.Action))
+		if err != nil {
+			return nil, err
+		}
+
+		newCall := configs.Syscall{
+			Name:   call.Name,
+			Action: newAction,
+			Args:   []*configs.Arg{},
+		}
+
+		// Loop through all the arguments of the syscall and convert them
+		for _, arg := range call.Args {
+			newOp, err := seccomp.ConvertStringToOperator(string(arg.Op))
+			if err != nil {
+				return nil, err
+			}
+
+			newArg := configs.Arg{
+				Index:    arg.Index,
+				Value:    arg.Value,
+				ValueTwo: arg.ValueTwo,
+				Op:       newOp,
+			}
+
+			newCall.Args = append(newCall.Args, &newArg)
+		}
+
+		newConfig.Syscalls = append(newConfig.Syscalls, &newCall)
+	}
+
+	return newConfig, nil
+}

vendor/github.com/hyperhq/hypercli/profiles/seccomp/seccomp_test.go

@@ -0,0 +1,19 @@
+// +build linux
+
+package seccomp
+
+import (
+	"io/ioutil"
+	"testing"
+)
+
+func TestLoadProfile(t *testing.T) {
+	f, err := ioutil.ReadFile("fixtures/example.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := LoadProfile(string(f)); err != nil {
+		t.Fatal(err)
+	}
+}

vendor/github.com/hyperhq/hypercli/profiles/seccomp/seccomp_unsupported.go

@@ -0,0 +1,9 @@
+// +build linux,!seccomp
+
+package seccomp
+
+import "github.com/opencontainers/runc/libcontainer/configs"
+
+var (
+	defaultSeccompProfile *configs.Seccomp
+)