From a600da91f47c2b2c8e2000cb0c5eb4992a289f61 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 22 Jul 2025 17:13:44 +0200 Subject: [PATCH] profiles/apparmor, seccomp: migrate to separate module Signed-off-by: Sebastiaan van Stijn --- daemon/apparmor_default.go | 2 +- daemon/seccomp_linux.go | 2 +- daemon/seccomp_linux_test.go | 2 +- integration-cli/docker_cli_run_unix_test.go | 12 +- oci/seccomp_test.go | 2 +- profiles/apparmor/apparmor_deprecated.go | 21 + profiles/apparmor/apparmor_linux_test.go | 197 -- .../seccomp/fixtures/conditional_include.json | 23 - .../seccomp/fixtures/default-old-format.json | 1593 ----------------- profiles/seccomp/fixtures/example.json | 34 - profiles/seccomp/generate.go | 31 - profiles/seccomp/kernel_linux_test.go | 120 -- profiles/seccomp/seccomp_deprecated.go | 37 + profiles/seccomp/seccomp_deprecated_linux.go | 27 + profiles/seccomp/seccomp_test.go | 314 ---- vendor.mod | 2 + vendor.sum | 4 + .../github.com/moby/profiles/apparmor/LICENSE | 202 +++ .../moby/profiles}/apparmor/apparmor.go | 0 .../moby/profiles}/apparmor/template.go | 1 - .../github.com/moby/profiles/seccomp/LICENSE | 202 +++ .../moby/profiles}/seccomp/default.json | 0 .../moby/profiles}/seccomp/default_linux.go | 0 .../moby/profiles}/seccomp/kernel_linux.go | 0 .../moby/profiles}/seccomp/seccomp.go | 0 .../moby/profiles}/seccomp/seccomp_linux.go | 0 vendor/modules.txt | 6 + 27 files changed, 516 insertions(+), 2318 deletions(-) create mode 100644 profiles/apparmor/apparmor_deprecated.go delete mode 100644 profiles/apparmor/apparmor_linux_test.go delete mode 100644 profiles/seccomp/fixtures/conditional_include.json delete mode 100644 profiles/seccomp/fixtures/default-old-format.json delete mode 100644 profiles/seccomp/fixtures/example.json delete mode 100644 profiles/seccomp/generate.go delete mode 100644 profiles/seccomp/kernel_linux_test.go create mode 100644 profiles/seccomp/seccomp_deprecated.go create mode 100644 profiles/seccomp/seccomp_deprecated_linux.go delete mode 100644 profiles/seccomp/seccomp_test.go create mode 100644 vendor/github.com/moby/profiles/apparmor/LICENSE rename {profiles => vendor/github.com/moby/profiles}/apparmor/apparmor.go (100%) rename {profiles => vendor/github.com/moby/profiles}/apparmor/template.go (96%) create mode 100644 vendor/github.com/moby/profiles/seccomp/LICENSE rename {profiles => vendor/github.com/moby/profiles}/seccomp/default.json (100%) rename {profiles => vendor/github.com/moby/profiles}/seccomp/default_linux.go (100%) rename {profiles => vendor/github.com/moby/profiles}/seccomp/kernel_linux.go (100%) rename {profiles => vendor/github.com/moby/profiles}/seccomp/seccomp.go (100%) rename {profiles => vendor/github.com/moby/profiles}/seccomp/seccomp_linux.go (100%) diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go index d5737e5a75..a1048e303c 100644 --- a/daemon/apparmor_default.go +++ b/daemon/apparmor_default.go @@ -6,7 +6,7 @@ import ( "fmt" "github.com/containerd/containerd/v2/pkg/apparmor" - aaprofile "github.com/docker/docker/profiles/apparmor" + aaprofile "github.com/moby/profiles/apparmor" ) // Define constants for native driver diff --git a/daemon/seccomp_linux.go b/daemon/seccomp_linux.go index 74b6e4ab9d..db7c2d1546 100644 --- a/daemon/seccomp_linux.go +++ b/daemon/seccomp_linux.go @@ -9,7 +9,7 @@ import ( "github.com/containerd/log" dconfig "github.com/docker/docker/daemon/config" "github.com/docker/docker/daemon/container" - "github.com/docker/docker/profiles/seccomp" + "github.com/moby/profiles/seccomp" "github.com/opencontainers/runtime-spec/specs-go" ) diff --git a/daemon/seccomp_linux_test.go b/daemon/seccomp_linux_test.go index 3d39589f28..7be4d9457b 100644 --- a/daemon/seccomp_linux_test.go +++ b/daemon/seccomp_linux_test.go @@ -8,8 +8,8 @@ import ( "github.com/docker/docker/daemon/container" "github.com/docker/docker/oci" "github.com/docker/docker/pkg/sysinfo" - "github.com/docker/docker/profiles/seccomp" containertypes "github.com/moby/moby/api/types/container" + "github.com/moby/profiles/seccomp" "github.com/opencontainers/runtime-spec/specs-go" "gotest.tools/v3/assert" ) diff --git a/integration-cli/docker_cli_run_unix_test.go b/integration-cli/docker_cli_run_unix_test.go index ae71c5eb08..953d647f70 100644 --- a/integration-cli/docker_cli_run_unix_test.go +++ b/integration-cli/docker_cli_run_unix_test.go @@ -22,6 +22,7 @@ import ( "github.com/docker/docker/pkg/sysinfo" "github.com/docker/docker/testutil" "github.com/moby/moby/client" + "github.com/moby/profiles/seccomp" "github.com/moby/sys/mount" "gotest.tools/v3/assert" is "gotest.tools/v3/assert/cmp" @@ -1319,7 +1320,16 @@ func (s *DockerCLIRunSuite) TestRunApparmorProcDirectory(c *testing.T) { func (s *DockerCLIRunSuite) TestRunSeccompWithDefaultProfile(c *testing.T) { testRequires(c, testEnv.IsLocalDaemon, seccompEnabled) - out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp=../profiles/seccomp/default.json", "debian:bookworm-slim", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami") + // write the default profile to a file + b, err := json.MarshalIndent(seccomp.DefaultProfile(), "", "\t") + assert.NilError(c, err) + + tmpDir := c.TempDir() + fileName := filepath.Join(tmpDir, "default.json") + err = os.WriteFile(fileName, b, 0o644) + assert.NilError(c, err) + + out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp="+fileName, "debian:bookworm-slim", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami") assert.ErrorContains(c, err, "", out) assert.Equal(c, strings.TrimSpace(out), "unshare: unshare failed: Operation not permitted") } diff --git a/oci/seccomp_test.go b/oci/seccomp_test.go index 7fc1af9b9b..321c6522d7 100644 --- a/oci/seccomp_test.go +++ b/oci/seccomp_test.go @@ -7,7 +7,7 @@ import ( "os" "testing" - "github.com/docker/docker/profiles/seccomp" + "github.com/moby/profiles/seccomp" ) func TestSeccompLoadProfile(t *testing.T) { diff --git a/profiles/apparmor/apparmor_deprecated.go b/profiles/apparmor/apparmor_deprecated.go new file mode 100644 index 0000000000..91f91c27a2 --- /dev/null +++ b/profiles/apparmor/apparmor_deprecated.go @@ -0,0 +1,21 @@ +//go:build linux + +package apparmor + +import "github.com/moby/profiles/apparmor" + +// InstallDefault generates a default profile in a temp directory determined by +// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'. +// +// Deprecated: use [apparmor.InstallDefault]. +func InstallDefault(name string) error { + return apparmor.InstallDefault(name) +} + +// IsLoaded checks if a profile with the given name has been loaded into the +// kernel. +// +// Deprecated: use [apparmor.IsLoaded]. +func IsLoaded(name string) (bool, error) { + return apparmor.IsLoaded(name) +} diff --git a/profiles/apparmor/apparmor_linux_test.go b/profiles/apparmor/apparmor_linux_test.go deleted file mode 100644 index 797077773b..0000000000 --- a/profiles/apparmor/apparmor_linux_test.go +++ /dev/null @@ -1,197 +0,0 @@ -package apparmor - -import ( - "errors" - "os" - "path" - "path/filepath" - "strings" - "testing" -) - -// testAppArmorProfiles fixture "/sys/kernel/security/apparmor/profiles" -// from an Ubuntu 24.10 host. -const testAppArmorProfiles = `wpcom (unconfined) -wike (unconfined) -vpnns (unconfined) -vivaldi-bin (unconfined) -virtiofsd (unconfined) -vdens (unconfined) -uwsgi-core (unconfined) -rsyslogd (enforce) -/usr/lib/snapd/snap-confine (enforce) -/usr/lib/snapd/snap-confine//mount-namespace-capture-helper (enforce) -tcpdump (enforce) -man_groff (enforce) -man_filter (enforce) -/usr/bin/man (enforce) -userbindmount (unconfined) -unprivileged_userns (enforce) -unix-chkpwd (enforce) -ubuntu_pro_esm_cache_systemd_detect_virt (enforce) -ubuntu_pro_esm_cache_systemctl (enforce) -ubuntu_pro_esm_cache (enforce) -ubuntu_pro_esm_cache//ubuntu_distro_info (enforce) -ubuntu_pro_esm_cache//ps (enforce) -ubuntu_pro_esm_cache//dpkg (enforce) -ubuntu_pro_esm_cache//cloud_id (enforce) -ubuntu_pro_esm_cache//apt_methods_gpgv (enforce) -ubuntu_pro_esm_cache//apt_methods (enforce) -ubuntu_pro_apt_news (enforce) -tuxedo-control-center (unconfined) -tup (unconfined) -trinity (unconfined) -transmission-qt (complain) -transmission-gtk (complain) -transmission-daemon (complain) -transmission-cli (complain) -toybox (unconfined) -thunderbird (unconfined) -systemd-coredump (unconfined) -surfshark (unconfined) -stress-ng (unconfined) -steam (unconfined) -slirp4netns (unconfined) -slack (unconfined) -signal-desktop (unconfined) -scide (unconfined) -sbuild-upgrade (unconfined) -sbuild-update (unconfined) -sbuild-unhold (unconfined) -sbuild-shell (unconfined) -sbuild-hold (unconfined) -sbuild-distupgrade (unconfined) -sbuild-destroychroot (unconfined) -sbuild-createchroot (unconfined) -sbuild-clean (unconfined) -sbuild-checkpackages (unconfined) -sbuild-apt (unconfined) -sbuild-adduser (unconfined) -sbuild-abort (unconfined) -sbuild (unconfined) -runc (unconfined) -rssguard (unconfined) -rpm (unconfined) -rootlesskit (unconfined) -qutebrowser (unconfined) -qmapshack (unconfined) -qcam (unconfined) -privacybrowser (unconfined) -polypane (unconfined) -podman (unconfined) -plasmashell (enforce) -plasmashell//QtWebEngineProcess (enforce) -pageedit (unconfined) -opera (unconfined) -opam (unconfined) -obsidian (unconfined) -nvidia_modprobe (enforce) -nvidia_modprobe//kmod (enforce) -notepadqq (unconfined) -nautilus (unconfined) -msedge (unconfined) -mmdebstrap (unconfined) -lxc-usernsexec (unconfined) -lxc-unshare (unconfined) -lxc-stop (unconfined) -lxc-execute (unconfined) -lxc-destroy (unconfined) -lxc-create (unconfined) -lxc-attach (unconfined) -lsb_release (enforce) -loupe (unconfined) -linux-sandbox (unconfined) -libcamerify (unconfined) -lc-compliance (unconfined) -keybase (unconfined) -kchmviewer (unconfined) -ipa_verify (unconfined) -goldendict (unconfined) -github-desktop (unconfined) -geary (unconfined) -foliate (unconfined) -flatpak (unconfined) -firefox (unconfined) -evolution (unconfined) -epiphany (unconfined) -element-desktop (unconfined) -devhelp (unconfined) -crun (unconfined) -vscode (unconfined) -chromium (unconfined) -chrome (unconfined) -ch-run (unconfined) -ch-checkns (unconfined) -cam (unconfined) -busybox (unconfined) -buildah (unconfined) -brave (unconfined) -balena-etcher (unconfined) -Xorg (complain) -QtWebEngineProcess (unconfined) -MongoDB Compass (unconfined) -Discord (unconfined) -1password (unconfined) -` - -func TestIsLoaded(t *testing.T) { - tmpDir := t.TempDir() - profiles := path.Join(tmpDir, "apparmor_profiles") - if err := os.WriteFile(profiles, []byte(testAppArmorProfiles), 0o644); err != nil { - t.Fatal(err) - } - t.Run("loaded", func(t *testing.T) { - found, err := isLoaded("busybox", profiles) - if err != nil { - t.Fatal(err) - } - if !found { - t.Fatal("expected profile to be loaded") - } - }) - t.Run("not loaded", func(t *testing.T) { - found, err := isLoaded("no-such-profile", profiles) - if err != nil { - t.Fatal(err) - } - if found { - t.Fatal("expected profile to not be loaded") - } - }) - t.Run("error", func(t *testing.T) { - _, err := isLoaded("anything", path.Join(tmpDir, "no_such_file")) - if err == nil || !errors.Is(err, os.ErrNotExist) { - t.Fatalf("expected error to be os.ErrNotExist, got %v", err) - } - }) -} - -func createTestProfiles(b *testing.B, lines int, targetProfile string) string { - b.Helper() - - var sb strings.Builder - for i := 0; i < lines-1; i++ { - sb.WriteString("someprofile (enforcing)\n") - } - sb.WriteString(targetProfile + " (enforcing)\n") - - fileName := filepath.Join(b.TempDir(), "apparmor_profiles") - if err := os.WriteFile(fileName, []byte(sb.String()), 0o644); err != nil { - b.Fatal(err) - } - return fileName -} - -func BenchmarkIsLoaded(b *testing.B) { - const target = "myprofile" - profiles := createTestProfiles(b, 10000, target) - - b.ReportAllocs() - b.ResetTimer() - for i := 0; i < b.N; i++ { - found, err := isLoaded(target, profiles) - if err != nil || !found { - b.Fatalf("expected profile to be found, got found=%v, err=%v", found, err) - } - } -} diff --git a/profiles/seccomp/fixtures/conditional_include.json b/profiles/seccomp/fixtures/conditional_include.json deleted file mode 100644 index 09a3d2a700..0000000000 --- a/profiles/seccomp/fixtures/conditional_include.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "defaultAction": "SCMP_ACT_ERRNO", - "syscalls": [ - { - "names": ["chmod"], - "action": "SCMP_ACT_ALLOW" - }, - { - "names": ["syslog"], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": ["CAP_SYSLOG"] - } - }, - { - "names": ["ptrace"], - "action": "SCMP_ACT_ALLOW", - "excludes": { - "caps": ["CAP_SYS_ADMIN"] - } - } - ] -} diff --git a/profiles/seccomp/fixtures/default-old-format.json b/profiles/seccomp/fixtures/default-old-format.json deleted file mode 100644 index 0e52bf95ec..0000000000 --- a/profiles/seccomp/fixtures/default-old-format.json +++ /dev/null @@ -1,1593 +0,0 @@ -{ - "defaultAction": "SCMP_ACT_ERRNO", - "architectures": [ - "SCMP_ARCH_X86_64", - "SCMP_ARCH_X86", - "SCMP_ARCH_X32" - ], - "syscalls": [ - { - "name": "accept", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "accept4", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "access", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "alarm", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "bind", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "brk", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "capget", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "capset", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chdir", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chmod", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chown32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "clock_getres", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "clock_gettime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "clock_nanosleep", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "close", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "connect", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "copy_file_range", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "creat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "dup", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "dup2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "dup3", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_create", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_create1", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_ctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_ctl_old", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_pwait", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_wait", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_wait_old", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "eventfd", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "eventfd2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "execve", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "execveat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "exit", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "exit_group", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "faccessat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fadvise64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fadvise64_64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fallocate", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fanotify_mark", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchdir", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchmod", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchmodat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchown32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchownat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fcntl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fcntl64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fdatasync", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fgetxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "flistxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "flock", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fork", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fremovexattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fsetxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstat64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstatat64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstatfs", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstatfs64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fsync", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ftruncate", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ftruncate64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "futex", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "futimesat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getcpu", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getcwd", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getdents", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getdents64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getegid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getegid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "geteuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "geteuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getgid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getgroups", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getgroups32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getitimer", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpeername", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpgrp", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getppid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpriority", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getrandom", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getresgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getresgid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getresuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getresuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getrlimit", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "get_robust_list", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getrusage", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getsid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getsockname", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getsockopt", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "get_thread_area", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "gettid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "gettimeofday", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "inotify_add_watch", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "inotify_init", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "inotify_init1", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "inotify_rm_watch", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "io_cancel", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ioctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "io_destroy", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "io_getevents", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ioprio_get", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ioprio_set", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "io_setup", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "io_submit", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ipc", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "kill", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lchown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lchown32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lgetxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "link", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "linkat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "listen", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "listxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "llistxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "_llseek", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lremovexattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lseek", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lsetxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lstat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lstat64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "madvise", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "memfd_create", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mincore", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mkdir", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mkdirat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mknod", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mknodat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mlock", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mlock2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mlockall", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mmap", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mmap2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mprotect", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mq_getsetattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mq_notify", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mq_open", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mq_timedreceive", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mq_timedsend", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mq_unlink", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mremap", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "msgctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "msgget", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "msgrcv", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "msgsnd", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "msync", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "munlock", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "munlockall", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "munmap", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "nanosleep", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "newfstatat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "_newselect", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "open", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "openat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pause", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "personality", - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 0, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ] - }, - { - "name": "personality", - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 8, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ] - }, - { - "name": "personality", - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 4294967295, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ] - }, - { - "name": "pipe", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pipe2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "poll", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ppoll", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "prctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pread64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "preadv", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "prlimit64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pselect6", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pwrite64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pwritev", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "read", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "readahead", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "readlink", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "readlinkat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "readv", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "recv", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "recvfrom", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "recvmmsg", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "recvmsg", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "remap_file_pages", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "removexattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rename", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "renameat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "renameat2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "restart_syscall", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rmdir", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigaction", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigpending", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigprocmask", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigqueueinfo", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigreturn", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigsuspend", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigtimedwait", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_tgsigqueueinfo", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_getaffinity", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_getattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_getparam", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_get_priority_max", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_get_priority_min", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_getscheduler", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_rr_get_interval", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_setaffinity", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_setattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_setparam", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_setscheduler", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_yield", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "seccomp", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "select", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "semctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "semget", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "semop", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "semtimedop", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "send", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sendfile", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sendfile64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sendmmsg", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sendmsg", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sendto", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setfsgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setfsgid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setfsuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setfsuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setgid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setgroups", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setgroups32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setitimer", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setpgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setpriority", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setregid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setregid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setresgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setresgid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setresuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setresuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setreuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setreuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setrlimit", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "set_robust_list", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setsid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setsockopt", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "set_thread_area", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "set_tid_address", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "shmat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "shmctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "shmdt", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "shmget", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "shutdown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sigaltstack", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "signalfd", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "signalfd4", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sigreturn", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "socket", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "socketcall", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "socketpair", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "splice", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "stat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "stat64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "statfs", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "statfs64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "symlink", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "symlinkat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sync", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sync_file_range", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "syncfs", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sysinfo", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "syslog", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "tee", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "tgkill", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "time", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_create", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_delete", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timerfd_create", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timerfd_gettime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timerfd_settime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_getoverrun", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_gettime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_settime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "times", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "tkill", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "truncate", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "truncate64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ugetrlimit", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "umask", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "uname", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "unlink", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "unlinkat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "utime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "utimensat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "utimes", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "vfork", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "vmsplice", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "wait4", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "waitid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "waitpid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "write", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "writev", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "arch_prctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "modify_ldt", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chroot", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "clone", - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 2080505856, - "valueTwo": 0, - "op": "SCMP_CMP_MASKED_EQ" - } - ] - } - ] -} \ No newline at end of file diff --git a/profiles/seccomp/fixtures/example.json b/profiles/seccomp/fixtures/example.json deleted file mode 100644 index 80c5a3152d..0000000000 --- a/profiles/seccomp/fixtures/example.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "defaultAction": "SCMP_ACT_ERRNO", - "defaultErrnoRet": 1, - "syscalls": [ - { - "name": "clone", - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 2114060288, - "valueTwo": 0, - "op": "SCMP_CMP_MASKED_EQ" - } - ] - }, - { - "name": "open", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "close", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "syslog", - "action": "SCMP_ACT_ERRNO", - "errnoRet": 12345, - "args": [] - } - ] -} diff --git a/profiles/seccomp/generate.go b/profiles/seccomp/generate.go deleted file mode 100644 index 8381544596..0000000000 --- a/profiles/seccomp/generate.go +++ /dev/null @@ -1,31 +0,0 @@ -//go:build ignore - -package main - -import ( - "encoding/json" - "os" - "path/filepath" - - "github.com/docker/docker/profiles/seccomp" -) - -// saves the default seccomp profile as a json file so people can use it as a -// base for their own custom profiles -func main() { - wd, err := os.Getwd() - if err != nil { - panic(err) - } - f := filepath.Join(wd, "default.json") - - // write the default profile to the file - b, err := json.MarshalIndent(seccomp.DefaultProfile(), "", "\t") - if err != nil { - panic(err) - } - - if err := os.WriteFile(f, b, 0o644); err != nil { - panic(err) - } -} diff --git a/profiles/seccomp/kernel_linux_test.go b/profiles/seccomp/kernel_linux_test.go deleted file mode 100644 index 830ea5c3b9..0000000000 --- a/profiles/seccomp/kernel_linux_test.go +++ /dev/null @@ -1,120 +0,0 @@ -package seccomp - -import ( - "errors" - "testing" -) - -func TestGetKernelVersion(t *testing.T) { - version, err := getKernelVersion() - if err != nil { - t.Fatal(err) - } - if version == nil { - t.Fatal("version is nil") - } - if version.Kernel == 0 { - t.Fatal("no kernel version") - } -} - -// TestParseRelease tests the ParseRelease() function -func TestParseRelease(t *testing.T) { - tests := []struct { - in string - out KernelVersion - expectedErr error - }{ - {in: "3.8", out: KernelVersion{Kernel: 3, Major: 8}}, - {in: "3.8.0", out: KernelVersion{Kernel: 3, Major: 8}}, - {in: "3.8.0-19-generic", out: KernelVersion{Kernel: 3, Major: 8}}, - {in: "3.4.54.longterm-1", out: KernelVersion{Kernel: 3, Major: 4}}, - {in: "3.10.0-862.2.3.el7.x86_64", out: KernelVersion{Kernel: 3, Major: 10}}, - {in: "3.12.8tag", out: KernelVersion{Kernel: 3, Major: 12}}, - {in: "3.12-1-amd64", out: KernelVersion{Kernel: 3, Major: 12}}, - {in: "3.12foobar", out: KernelVersion{Kernel: 3, Major: 12}}, - {in: "99.999.999-19-generic", out: KernelVersion{Kernel: 99, Major: 999}}, - {in: "", expectedErr: errors.New(`failed to parse kernel version "": EOF`)}, - {in: "3", expectedErr: errors.New(`failed to parse kernel version "3": unexpected EOF`)}, - {in: "3.", expectedErr: errors.New(`failed to parse kernel version "3.": EOF`)}, - {in: "3a", expectedErr: errors.New(`failed to parse kernel version "3a": input does not match format`)}, - {in: "3.a", expectedErr: errors.New(`failed to parse kernel version "3.a": expected integer`)}, - {in: "a", expectedErr: errors.New(`failed to parse kernel version "a": expected integer`)}, - {in: "a.a", expectedErr: errors.New(`failed to parse kernel version "a.a": expected integer`)}, - {in: "a.a.a-a", expectedErr: errors.New(`failed to parse kernel version "a.a.a-a": expected integer`)}, - {in: "-3", expectedErr: errors.New(`failed to parse kernel version "-3": expected integer`)}, - {in: "-3.", expectedErr: errors.New(`failed to parse kernel version "-3.": expected integer`)}, - {in: "-3.8", expectedErr: errors.New(`failed to parse kernel version "-3.8": expected integer`)}, - {in: "-3.-8", expectedErr: errors.New(`failed to parse kernel version "-3.-8": expected integer`)}, - {in: "3.-8", expectedErr: errors.New(`failed to parse kernel version "3.-8": expected integer`)}, - } - for _, tc := range tests { - t.Run(tc.in, func(t *testing.T) { - version, err := parseRelease(tc.in) - if tc.expectedErr != nil { - if err == nil { - t.Fatal("expected an error") - } - if err.Error() != tc.expectedErr.Error() { - t.Fatalf("expected: %s, got: %s", tc.expectedErr, err) - } - return - } - if err != nil { - t.Fatal("unexpected error:", err) - } - if version == nil { - t.Fatal("version is nil") - } - if version.Kernel != tc.out.Kernel || version.Major != tc.out.Major { - t.Fatalf("expected: %d.%d, got: %d.%d", tc.out.Kernel, tc.out.Major, version.Kernel, version.Major) - } - }) - } -} - -func TestKernelGreaterEqualThan(t *testing.T) { - // Get the current kernel version, so that we can make test relative to that - v, err := getKernelVersion() - if err != nil { - t.Fatal(err) - } - - tests := []struct { - doc string - in KernelVersion - expected bool - }{ - { - doc: "same version", - in: KernelVersion{v.Kernel, v.Major}, - expected: true, - }, - { - doc: "kernel minus one", - in: KernelVersion{v.Kernel - 1, v.Major}, - expected: true, - }, - { - doc: "kernel plus one", - in: KernelVersion{v.Kernel + 1, v.Major}, - expected: false, - }, - { - doc: "major plus one", - in: KernelVersion{v.Kernel, v.Major + 1}, - expected: false, - }, - } - for _, tc := range tests { - t.Run(tc.doc+": "+tc.in.String(), func(t *testing.T) { - ok, err := kernelGreaterEqualThan(tc.in) - if err != nil { - t.Fatal("unexpected error:", err) - } - if ok != tc.expected { - t.Fatalf("expected: %v, got: %v", tc.expected, ok) - } - }) - } -} diff --git a/profiles/seccomp/seccomp_deprecated.go b/profiles/seccomp/seccomp_deprecated.go new file mode 100644 index 0000000000..39aff1a39b --- /dev/null +++ b/profiles/seccomp/seccomp_deprecated.go @@ -0,0 +1,37 @@ +package seccomp + +import "github.com/moby/profiles/seccomp" + +// Seccomp represents the config for a seccomp profile for syscall restriction. +// It is used to marshal/unmarshal the JSON profiles as accepted by docker, and +// extends the runtime-spec's specs.LinuxSeccomp, overriding some fields to +// provide the ability to define conditional rules based on the host's kernel +// version, architecture, and the container's capabilities. +// +// Deprecated: use [seccomp.Seccomp]. +type Seccomp = seccomp.Seccomp + +// Architecture is used to represent a specific architecture +// and its sub-architectures +// +// Deprecated: use [seccomp.Architecture]. +type Architecture = seccomp.Architecture + +// Filter is used to conditionally apply Seccomp rules +// +// Deprecated: use [seccomp.Filter]. +type Filter = seccomp.Filter + +// Syscall is used to match a group of syscalls in Seccomp. It extends the +// runtime-spec Syscall type, adding a "Name" field for backward compatibility +// with older JSON representations, additional "Comment" metadata, and conditional +// rules ("Includes", "Excludes") used to generate a runtime-spec Seccomp profile +// based on the container (capabilities) and host's (arch, kernel) configuration. +// +// Deprecated: use [seccomp.Syscall]. +type Syscall = seccomp.Syscall + +// KernelVersion holds information about the kernel. +// +// Deprecated: use [seccomp.KernelVersion]. +type KernelVersion = seccomp.KernelVersion diff --git a/profiles/seccomp/seccomp_deprecated_linux.go b/profiles/seccomp/seccomp_deprecated_linux.go new file mode 100644 index 0000000000..932a1d56ed --- /dev/null +++ b/profiles/seccomp/seccomp_deprecated_linux.go @@ -0,0 +1,27 @@ +package seccomp + +import ( + "github.com/moby/profiles/seccomp" + "github.com/opencontainers/runtime-spec/specs-go" +) + +// DefaultProfile defines the allowed syscalls for the default seccomp profile. +// +// Deprecated: use [seccomp.DefaultProfile]. +func DefaultProfile() *seccomp.Seccomp { + return seccomp.DefaultProfile() +} + +// GetDefaultProfile returns the default seccomp profile. +// +// Deprecated: use [seccomp.GetDefaultProfile]. +func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) { + return seccomp.GetDefaultProfile(rs) +} + +// LoadProfile takes a json string and decodes the seccomp profile. +// +// Deprecated: use [seccomp.LoadProfile]. +func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) { + return seccomp.LoadProfile(body, rs) +} diff --git a/profiles/seccomp/seccomp_test.go b/profiles/seccomp/seccomp_test.go deleted file mode 100644 index 3660517e7d..0000000000 --- a/profiles/seccomp/seccomp_test.go +++ /dev/null @@ -1,314 +0,0 @@ -//go:build linux - -package seccomp - -import ( - "encoding/json" - "os" - "reflect" - "strings" - "testing" - - "github.com/opencontainers/runtime-spec/specs-go" -) - -func assertDeepEqual(t *testing.T, expected interface{}, actual interface{}) { - t.Helper() - if !reflect.DeepEqual(expected, actual) { - t.Fatalf("\nexpected: %+#v\ngot : %+#v", expected, actual) - } -} - -func TestLoadProfile(t *testing.T) { - f, err := os.ReadFile("fixtures/example.json") - if err != nil { - t.Fatal(err) - } - rs := createSpec() - p, err := LoadProfile(string(f), &rs) - if err != nil { - t.Fatal(err) - } - var expectedErrno uint = 12345 - var expectedDefaultErrno uint = 1 - expected := specs.LinuxSeccomp{ - DefaultAction: specs.ActErrno, - DefaultErrnoRet: &expectedDefaultErrno, - Syscalls: []specs.LinuxSyscall{ - { - Names: []string{"clone"}, - Action: specs.ActAllow, - Args: []specs.LinuxSeccompArg{{ - Index: 0, - Value: 2114060288, - ValueTwo: 0, - Op: specs.OpMaskedEqual, - }}, - }, - { - Names: []string{"open"}, - Action: specs.ActAllow, - Args: []specs.LinuxSeccompArg{}, - }, - { - Names: []string{"close"}, - Action: specs.ActAllow, - Args: []specs.LinuxSeccompArg{}, - }, - { - Names: []string{"syslog"}, - Action: specs.ActErrno, - ErrnoRet: &expectedErrno, - Args: []specs.LinuxSeccompArg{}, - }, - }, - } - - assertDeepEqual(t, expected, *p) -} - -func TestLoadProfileWithDefaultErrnoRet(t *testing.T) { - profile := []byte(`{ -"defaultAction": "SCMP_ACT_ERRNO", -"defaultErrnoRet": 6 -}`) - rs := createSpec() - p, err := LoadProfile(string(profile), &rs) - if err != nil { - t.Fatal(err) - } - - expectedErrnoRet := uint(6) - expected := specs.LinuxSeccomp{ - DefaultAction: specs.ActErrno, - DefaultErrnoRet: &expectedErrnoRet, - } - - assertDeepEqual(t, expected, *p) -} - -func TestLoadProfileWithListenerPath(t *testing.T) { - profile := []byte(`{ -"defaultAction": "SCMP_ACT_ERRNO", -"listenerPath": "/var/run/seccompaget.sock", -"listenerMetadata": "opaque-metadata" -}`) - rs := createSpec() - p, err := LoadProfile(string(profile), &rs) - if err != nil { - t.Fatal(err) - } - - expected := specs.LinuxSeccomp{ - DefaultAction: specs.ActErrno, - ListenerPath: "/var/run/seccompaget.sock", - ListenerMetadata: "opaque-metadata", - } - - assertDeepEqual(t, expected, *p) -} - -func TestLoadProfileWithFlag(t *testing.T) { - profile := `{"defaultAction": "SCMP_ACT_ERRNO", "flags": ["SECCOMP_FILTER_FLAG_SPEC_ALLOW", "SECCOMP_FILTER_FLAG_LOG"]}` - expected := specs.LinuxSeccomp{ - DefaultAction: specs.ActErrno, - Flags: []specs.LinuxSeccompFlag{"SECCOMP_FILTER_FLAG_SPEC_ALLOW", "SECCOMP_FILTER_FLAG_LOG"}, - } - rs := createSpec() - p, err := LoadProfile(profile, &rs) - if err != nil { - t.Fatal(err) - } - assertDeepEqual(t, expected, *p) -} - -// TestLoadProfileValidation tests that invalid profiles produce the correct error. -func TestLoadProfileValidation(t *testing.T) { - tests := []struct { - doc string - profile string - expected string - }{ - { - doc: "conflicting architectures and archMap", - profile: `{"defaultAction": "SCMP_ACT_ERRNO", "architectures": ["A", "B", "C"], "archMap": [{"architecture": "A", "subArchitectures": ["B", "C"]}]}`, - expected: `both 'architectures' and 'archMap' are specified in the seccomp profile, use either 'architectures' or 'archMap'`, - }, - { - doc: "conflicting syscall.name and syscall.names", - profile: `{"defaultAction": "SCMP_ACT_ERRNO", "syscalls": [{"name": "accept", "names": ["accept"], "action": "SCMP_ACT_ALLOW"}]}`, - expected: `both 'name' and 'names' are specified in the seccomp profile, use either 'name' or 'names'`, - }, - } - for _, tc := range tests { - rs := createSpec() - t.Run(tc.doc, func(t *testing.T) { - _, err := LoadProfile(tc.profile, &rs) - if err == nil { - t.Fatal("expected error") - } - if tc.expected != err.Error() { - t.Fatalf("expected: %q, got: %q", tc.expected, err) - } - }) - } -} - -// TestLoadLegacyProfile tests loading a seccomp profile in the old format -// (before https://github.com/docker/docker/pull/24510) -func TestLoadLegacyProfile(t *testing.T) { - f, err := os.ReadFile("fixtures/default-old-format.json") - if err != nil { - t.Fatal(err) - } - rs := createSpec() - p, err := LoadProfile(string(f), &rs) - if err != nil { - t.Fatal(err) - } - if p.DefaultAction != specs.ActErrno { - t.Fatalf("expected default action %s, got %s", specs.ActErrno, p.DefaultAction) - } - expectedArches := []specs.Arch{"SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32"} - assertDeepEqual(t, expectedArches, p.Architectures) - - if expected := 311; len(p.Syscalls) != expected { - t.Fatalf("expected %d syscalls, got %d", expected, len(p.Syscalls)) - } - expected := specs.LinuxSyscall{ - Names: []string{"accept"}, - Action: specs.ActAllow, - Args: []specs.LinuxSeccompArg{}, - } - assertDeepEqual(t, expected, p.Syscalls[0]) -} - -func TestLoadDefaultProfile(t *testing.T) { - f, err := os.ReadFile("default.json") - if err != nil { - t.Fatal(err) - } - rs := createSpec() - if _, err := LoadProfile(string(f), &rs); err != nil { - t.Fatal(err) - } -} - -func TestUnmarshalDefaultProfile(t *testing.T) { - expected := DefaultProfile() - if expected == nil { - t.Skip("seccomp not supported") - } - - f, err := os.ReadFile("default.json") - if err != nil { - t.Fatal(err) - } - var profile Seccomp - err = json.Unmarshal(f, &profile) - if err != nil { - t.Fatal(err) - } - assertDeepEqual(t, expected.Architectures, profile.Architectures) - assertDeepEqual(t, expected.ArchMap, profile.ArchMap) - assertDeepEqual(t, expected.DefaultAction, profile.DefaultAction) - assertDeepEqual(t, expected.Syscalls, profile.Syscalls) -} - -func TestMarshalUnmarshalFilter(t *testing.T) { - t.Parallel() - tests := []struct { - in string - out string - error bool - }{ - {in: `{"arches":["s390x"],"minKernel":3}`, error: true}, - {in: `{"arches":["s390x"],"minKernel":3.12}`, error: true}, - {in: `{"arches":["s390x"],"minKernel":true}`, error: true}, - {in: `{"arches":["s390x"],"minKernel":"0.0"}`, error: true}, - {in: `{"arches":["s390x"],"minKernel":"3"}`, error: true}, - {in: `{"arches":["s390x"],"minKernel":".3"}`, error: true}, - {in: `{"arches":["s390x"],"minKernel":"3."}`, error: true}, - {in: `{"arches":["s390x"],"minKernel":"true"}`, error: true}, - {in: `{"arches":["s390x"],"minKernel":"3.12.1\""}`, error: true}, - {in: `{"arches":["s390x"],"minKernel":"4.15abc"}`, error: true}, - {in: `{"arches":["s390x"],"minKernel":null}`, out: `{"arches":["s390x"]}`}, - {in: `{"arches":["s390x"],"minKernel":""}`, out: `{"arches":["s390x"],"minKernel":""}`}, // FIXME: try to fix omitempty for this - {in: `{"arches":["s390x"],"minKernel":"0.5"}`, out: `{"arches":["s390x"],"minKernel":"0.5"}`}, - {in: `{"arches":["s390x"],"minKernel":"0.50"}`, out: `{"arches":["s390x"],"minKernel":"0.50"}`}, - {in: `{"arches":["s390x"],"minKernel":"5.0"}`, out: `{"arches":["s390x"],"minKernel":"5.0"}`}, - {in: `{"arches":["s390x"],"minKernel":"50.0"}`, out: `{"arches":["s390x"],"minKernel":"50.0"}`}, - {in: `{"arches":["s390x"],"minKernel":"4.15"}`, out: `{"arches":["s390x"],"minKernel":"4.15"}`}, - } - for _, tc := range tests { - t.Run(tc.in, func(t *testing.T) { - var filter Filter - err := json.Unmarshal([]byte(tc.in), &filter) - if tc.error { - if err == nil { - t.Fatal("expected an error") - } else if !strings.Contains(err.Error(), "invalid kernel version") { - t.Fatal("unexpected error:", err) - } - return - } - if err != nil { - t.Fatal(err) - } - out, err := json.Marshal(filter) - if err != nil { - t.Fatal(err) - } - if string(out) != tc.out { - t.Fatalf("expected %s, got %s", tc.out, string(out)) - } - }) - } -} - -func TestLoadConditional(t *testing.T) { - f, err := os.ReadFile("fixtures/conditional_include.json") - if err != nil { - t.Fatal(err) - } - tests := []struct { - doc string - cap string - expected []string - }{ - {doc: "no caps", expected: []string{"chmod", "ptrace"}}, - {doc: "with syslog", cap: "CAP_SYSLOG", expected: []string{"chmod", "syslog", "ptrace"}}, - {doc: "no ptrace", cap: "CAP_SYS_ADMIN", expected: []string{"chmod"}}, - } - - for _, tc := range tests { - t.Run(tc.doc, func(t *testing.T) { - rs := createSpec(tc.cap) - p, err := LoadProfile(string(f), &rs) - if err != nil { - t.Fatal(err) - } - if len(p.Syscalls) != len(tc.expected) { - t.Fatalf("expected %d syscalls in profile, have %d", len(tc.expected), len(p.Syscalls)) - } - for i, v := range p.Syscalls { - if v.Names[0] != tc.expected[i] { - t.Fatalf("expected %s syscall, have %s", tc.expected[i], v.Names[0]) - } - } - }) - } -} - -// createSpec() creates a minimum spec for testing -func createSpec(caps ...string) specs.Spec { - rs := specs.Spec{ - Process: &specs.Process{ - Capabilities: &specs.LinuxCapabilities{}, - }, - } - if caps != nil { - rs.Process.Capabilities.Bounding = append(rs.Process.Capabilities.Bounding, caps...) - } - return rs -} diff --git a/vendor.mod b/vendor.mod index 17be21fea6..24fc9c9e37 100644 --- a/vendor.mod +++ b/vendor.mod @@ -68,6 +68,8 @@ require ( github.com/moby/ipvs v1.1.0 github.com/moby/locker v1.0.1 github.com/moby/patternmatcher v0.6.0 + github.com/moby/profiles/apparmor v0.1.0 + github.com/moby/profiles/seccomp v0.1.0 github.com/moby/pubsub v1.0.0 github.com/moby/swarmkit/v2 v2.0.0 github.com/moby/sys/atomicwriter v0.1.0 diff --git a/vendor.sum b/vendor.sum index e77f4c713c..a66ece3f28 100644 --- a/vendor.sum +++ b/vendor.sum @@ -395,6 +395,10 @@ github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= +github.com/moby/profiles/apparmor v0.1.0 h1:dMUt6fqdOeU9tfKjntPN9hBY1C5tJtsUWZNiIuHK8QM= +github.com/moby/profiles/apparmor v0.1.0/go.mod h1:2iRxPw+MrPuDvmb5lAEAeLB1kcOt7AzZeW3paBs2TQY= +github.com/moby/profiles/seccomp v0.1.0 h1:kVf1lc5ytNB1XPxEdZUVF+oPpbBYJHR50eEvPt/9k8A= +github.com/moby/profiles/seccomp v0.1.0/go.mod h1:Kqk57vxH6/wuOc5bmqRiSXJ6iEz8Pvo3LQRkv0ytFWs= github.com/moby/pubsub v1.0.0 h1:jkp/imWsmJz2f6LyFsk7EkVeN2HxR/HTTOY8kHrsxfA= github.com/moby/pubsub v1.0.0/go.mod h1:bXSO+3h5MNXXCaEG+6/NlAIk7MMZbySZlnB+cUQhKKc= github.com/moby/swarmkit/v2 v2.0.0 h1:jkWQKQaJ4ltA61/mC9UdPe1McLma55RUcacTO+pPweY= diff --git a/vendor/github.com/moby/profiles/apparmor/LICENSE b/vendor/github.com/moby/profiles/apparmor/LICENSE new file mode 100644 index 0000000000..d645695673 --- /dev/null +++ b/vendor/github.com/moby/profiles/apparmor/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/profiles/apparmor/apparmor.go b/vendor/github.com/moby/profiles/apparmor/apparmor.go similarity index 100% rename from profiles/apparmor/apparmor.go rename to vendor/github.com/moby/profiles/apparmor/apparmor.go diff --git a/profiles/apparmor/template.go b/vendor/github.com/moby/profiles/apparmor/template.go similarity index 96% rename from profiles/apparmor/template.go rename to vendor/github.com/moby/profiles/apparmor/template.go index 35c75300f8..2ebcc218a7 100644 --- a/profiles/apparmor/template.go +++ b/vendor/github.com/moby/profiles/apparmor/template.go @@ -6,7 +6,6 @@ package apparmor // change to this profile, please make follow-up PRs to those projects so // that these rules can be synchronised (because any issue with this // profile will likely affect libpod and containerd). -// TODO: Move this to a common project so we can maintain it in one spot. // baseTemplate defines the default apparmor profile for containers. const baseTemplate = ` diff --git a/vendor/github.com/moby/profiles/seccomp/LICENSE b/vendor/github.com/moby/profiles/seccomp/LICENSE new file mode 100644 index 0000000000..d645695673 --- /dev/null +++ b/vendor/github.com/moby/profiles/seccomp/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/profiles/seccomp/default.json b/vendor/github.com/moby/profiles/seccomp/default.json similarity index 100% rename from profiles/seccomp/default.json rename to vendor/github.com/moby/profiles/seccomp/default.json diff --git a/profiles/seccomp/default_linux.go b/vendor/github.com/moby/profiles/seccomp/default_linux.go similarity index 100% rename from profiles/seccomp/default_linux.go rename to vendor/github.com/moby/profiles/seccomp/default_linux.go diff --git a/profiles/seccomp/kernel_linux.go b/vendor/github.com/moby/profiles/seccomp/kernel_linux.go similarity index 100% rename from profiles/seccomp/kernel_linux.go rename to vendor/github.com/moby/profiles/seccomp/kernel_linux.go diff --git a/profiles/seccomp/seccomp.go b/vendor/github.com/moby/profiles/seccomp/seccomp.go similarity index 100% rename from profiles/seccomp/seccomp.go rename to vendor/github.com/moby/profiles/seccomp/seccomp.go diff --git a/profiles/seccomp/seccomp_linux.go b/vendor/github.com/moby/profiles/seccomp/seccomp_linux.go similarity index 100% rename from profiles/seccomp/seccomp_linux.go rename to vendor/github.com/moby/profiles/seccomp/seccomp_linux.go diff --git a/vendor/modules.txt b/vendor/modules.txt index 46c7ff0ed6..4a26ae361e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -970,6 +970,12 @@ github.com/moby/moby/client ## explicit; go 1.19 github.com/moby/patternmatcher github.com/moby/patternmatcher/ignorefile +# github.com/moby/profiles/apparmor v0.1.0 +## explicit; go 1.23.0 +github.com/moby/profiles/apparmor +# github.com/moby/profiles/seccomp v0.1.0 +## explicit; go 1.23.0 +github.com/moby/profiles/seccomp # github.com/moby/pubsub v1.0.0 ## explicit; go 1.19 github.com/moby/pubsub