(s *state.State, c Instance)
| 728 | } |
| 729 | |
| 730 | func seccompGetPolicyContent(s *state.State, c Instance) (string, error) { |
| 731 | config := c.ExpandedConfig() |
| 732 | |
| 733 | // Full policy override |
| 734 | raw := config["raw.seccomp"] |
| 735 | if raw != "" { |
| 736 | return raw, nil |
| 737 | } |
| 738 | |
| 739 | // Policy header |
| 740 | policy := seccompHeader |
| 741 | allowlist := config["security.syscalls.allow"] |
| 742 | if allowlist == "" { |
| 743 | allowlist = config["security.syscalls.whitelist"] |
| 744 | } |
| 745 | |
| 746 | if allowlist != "" { |
| 747 | policy += "allowlist\n[all]\n" |
| 748 | policy += allowlist |
| 749 | } else { |
| 750 | policy += "denylist\n[all]\n" |
| 751 | |
| 752 | defaultFlag, ok := config["security.syscalls.deny_default"] |
| 753 | if !ok { |
| 754 | defaultFlag, ok = config["security.syscalls.blacklist_default"] |
| 755 | } |
| 756 | |
| 757 | if !ok || util.IsTrue(defaultFlag) { |
| 758 | policy += defaultSeccompPolicy |
| 759 | } |
| 760 | } |
| 761 | |
| 762 | // Syscall interception |
| 763 | ok, err := InstanceNeedsIntercept(s, c) |
| 764 | if err != nil { |
| 765 | return "", err |
| 766 | } |
| 767 | |
| 768 | if ok { |
| 769 | // Prevent the container from overriding our syscall |
| 770 | // supervision. |
| 771 | policy += seccompNotifyDisallow |
| 772 | |
| 773 | if util.IsTrue(config["security.syscalls.intercept.mknod"]) { |
| 774 | policy += seccompNotifyMknod |
| 775 | } |
| 776 | |
| 777 | if util.IsTrue(config["security.syscalls.intercept.sched_setscheduler"]) { |
| 778 | policy += seccompNotifySchedSetscheduler |
| 779 | } |
| 780 | |
| 781 | if util.IsTrue(config["security.syscalls.intercept.setxattr"]) { |
| 782 | policy += seccompNotifySetxattr |
| 783 | } |
| 784 | |
| 785 | if util.IsTrue(config["security.syscalls.intercept.sysinfo"]) { |
| 786 | policy += seccompNotifySysinfo |
| 787 | } |
no test coverage detected
searching dependent graphs…