mirror of
https://github.com/containers/podman.git
synced 2025-09-25 15:55:32 +08:00
Switch to containers/common for seccomp
The seccomp/containers-golang library is not maintained any more and we should stick to containers/common. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This commit is contained in:
Sascha Grunert
53
vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
generated
vendored
53
vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
generated
vendored
@ -72,7 +72,17 @@ const uint32_t C_ARCH_S390X = SCMP_ARCH_S390X;
|
||||
#define SCMP_ACT_LOG 0x7ffc0000U
|
||||
#endif
|
||||
|
||||
#ifndef SCMP_ACT_KILL_PROCESS
|
||||
#define SCMP_ACT_KILL_PROCESS 0x80000000U
|
||||
#endif
|
||||
|
||||
#ifndef SCMP_ACT_KILL_THREAD
|
||||
#define SCMP_ACT_KILL_THREAD 0x00000000U
|
||||
#endif
|
||||
|
||||
const uint32_t C_ACT_KILL = SCMP_ACT_KILL;
|
||||
const uint32_t C_ACT_KILL_PROCESS = SCMP_ACT_KILL_PROCESS;
|
||||
const uint32_t C_ACT_KILL_THREAD = SCMP_ACT_KILL_THREAD;
|
||||
const uint32_t C_ACT_TRAP = SCMP_ACT_TRAP;
|
||||
const uint32_t C_ACT_ERRNO = SCMP_ACT_ERRNO(0);
|
||||
const uint32_t C_ACT_TRACE = SCMP_ACT_TRACE(0);
|
||||
@ -203,7 +213,7 @@ const (
|
||||
archEnd ScmpArch = ArchS390X
|
||||
// Comparison boundaries to check for action validity
|
||||
actionStart ScmpAction = ActKill
|
||||
actionEnd ScmpAction = ActLog
|
||||
actionEnd ScmpAction = ActKillProcess
|
||||
// Comparison boundaries to check for comparison operator validity
|
||||
compareOpStart ScmpCompareOp = CompareNotEqual
|
||||
compareOpEnd ScmpCompareOp = CompareMaskedEqual
|
||||
@ -236,7 +246,7 @@ func ensureSupportedVersion() error {
|
||||
}
|
||||
|
||||
// Get the API level
|
||||
func getApi() (uint, error) {
|
||||
func getAPI() (uint, error) {
|
||||
api := C.seccomp_api_get()
|
||||
if api == 0 {
|
||||
return 0, fmt.Errorf("API level operations are not supported")
|
||||
@ -246,9 +256,9 @@ func getApi() (uint, error) {
|
||||
}
|
||||
|
||||
// Set the API level
|
||||
func setApi(api uint) error {
|
||||
func setAPI(api uint) error {
|
||||
if retCode := C.seccomp_api_set(C.uint(api)); retCode != 0 {
|
||||
if syscall.Errno(-1*retCode) == syscall.EOPNOTSUPP {
|
||||
if errRc(retCode) == syscall.EOPNOTSUPP {
|
||||
return fmt.Errorf("API level operations are not supported")
|
||||
}
|
||||
|
||||
@ -265,6 +275,10 @@ func filterFinalizer(f *ScmpFilter) {
|
||||
f.Release()
|
||||
}
|
||||
|
||||
func errRc(rc C.int) error {
|
||||
return syscall.Errno(-1 * rc)
|
||||
}
|
||||
|
||||
// Get a raw filter attribute
|
||||
func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) {
|
||||
f.lock.Lock()
|
||||
@ -278,7 +292,7 @@ func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) {
|
||||
|
||||
retCode := C.seccomp_attr_get(f.filterCtx, attr.toNative(), &attribute)
|
||||
if retCode != 0 {
|
||||
return 0x0, syscall.Errno(-1 * retCode)
|
||||
return 0x0, errRc(retCode)
|
||||
}
|
||||
|
||||
return attribute, nil
|
||||
@ -295,7 +309,7 @@ func (f *ScmpFilter) setFilterAttr(attr scmpFilterAttr, value C.uint32_t) error
|
||||
|
||||
retCode := C.seccomp_attr_set(f.filterCtx, attr.toNative(), value)
|
||||
if retCode != 0 {
|
||||
return syscall.Errno(-1 * retCode)
|
||||
return errRc(retCode)
|
||||
}
|
||||
|
||||
return nil
|
||||
@ -316,14 +330,17 @@ func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact b
|
||||
retCode = C.seccomp_rule_add_array(f.filterCtx, action.toNative(), C.int(call), length, cond)
|
||||
}
|
||||
|
||||
if syscall.Errno(-1*retCode) == syscall.EFAULT {
|
||||
return fmt.Errorf("unrecognized syscall %#x", int32(call))
|
||||
} else if syscall.Errno(-1*retCode) == syscall.EPERM {
|
||||
return fmt.Errorf("requested action matches default action of filter")
|
||||
} else if syscall.Errno(-1*retCode) == syscall.EINVAL {
|
||||
return fmt.Errorf("two checks on same syscall argument")
|
||||
} else if retCode != 0 {
|
||||
return syscall.Errno(-1 * retCode)
|
||||
if retCode != 0 {
|
||||
switch e := errRc(retCode); e {
|
||||
case syscall.EFAULT:
|
||||
return fmt.Errorf("unrecognized syscall %#x", int32(call))
|
||||
case syscall.EPERM:
|
||||
return fmt.Errorf("requested action matches default action of filter")
|
||||
case syscall.EINVAL:
|
||||
return fmt.Errorf("two checks on same syscall argument")
|
||||
default:
|
||||
return e
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
@ -517,6 +534,10 @@ func actionFromNative(a C.uint32_t) (ScmpAction, error) {
|
||||
switch a & 0xFFFF0000 {
|
||||
case C.C_ACT_KILL:
|
||||
return ActKill, nil
|
||||
case C.C_ACT_KILL_PROCESS:
|
||||
return ActKillProcess, nil
|
||||
case C.C_ACT_KILL_THREAD:
|
||||
return ActKillThread, nil
|
||||
case C.C_ACT_TRAP:
|
||||
return ActTrap, nil
|
||||
case C.C_ACT_ERRNO:
|
||||
@ -537,6 +558,10 @@ func (a ScmpAction) toNative() C.uint32_t {
|
||||
switch a & 0xFFFF {
|
||||
case ActKill:
|
||||
return C.C_ACT_KILL
|
||||
case ActKillProcess:
|
||||
return C.C_ACT_KILL_PROCESS
|
||||
case ActKillThread:
|
||||
return C.C_ACT_KILL_THREAD
|
||||
case ActTrap:
|
||||
return C.C_ACT_TRAP
|
||||
case ActErrno:
|
||||
|
||||
Reference in New Issue
Block a user