Merge pull request #1018 from giuseppe/seccomp-flags

hqhq · web-flow · commit 52e2591aa9f7 · 2019-09-11T09:34:53.000+08:00
config-linux: support seccomp flags
diff --git a/config-linux.md b/config-linux.md
@@ -586,6 +586,14 @@ The following parameters can be specified to set up seccomp:
     * `SCMP_ARCH_PARISC`
     * `SCMP_ARCH_PARISC64`
 
+* **`flags`** *(array of strings, OPTIONAL)* - list of flags to use with seccomp(2).
+
+    A valid list of constants is shown below.
+
+    * `SECCOMP_FILTER_FLAG_TSYNC`
+    * `SECCOMP_FILTER_FLAG_LOG`
+    * `SECCOMP_FILTER_FLAG_SPEC_ALLOW`
+
 * **`syscalls`** *(array of objects, OPTIONAL)* - match a syscall in seccomp.
 
     While this property is OPTIONAL, some values of `defaultAction` are not useful without `syscalls` entries.
diff --git a/schema/config-linux.json b/schema/config-linux.json
@@ -197,6 +197,12 @@
                     "defaultAction": {
                         "$ref": "defs-linux.json#/definitions/SeccompAction"
                     },
+                    "flags": {
+                        "type": "array",
+                        "items": {
+                            "$ref": "defs-linux.json#/definitions/SeccompFlag"
+                        }
+                    },
                     "architectures": {
                         "type": "array",
                         "items": {
diff --git a/schema/defs-linux.json b/schema/defs-linux.json
@@ -42,6 +42,14 @@
                 "SCMP_ACT_ALLOW"
             ]
         },
+        "SeccompFlag": {
+            "type": "string",
+            "enum": [
+                "SECCOMP_FILTER_FLAG_TSYNC",
+                "SECCOMP_FILTER_FLAG_LOG",
+                "SECCOMP_FILTER_FLAG_SPEC_ALLOW"
+            ]
+        },
         "SeccompOperators": {
             "type": "string",
             "enum": [
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -556,12 +556,16 @@ type VMImage struct {
 type LinuxSeccomp struct {
 	DefaultAction LinuxSeccompAction `json:"defaultAction"`
 	Architectures []Arch             `json:"architectures,omitempty"`
+	Flags         []LinuxSeccompFlag `json:"flags,omitempty"`
 	Syscalls      []LinuxSyscall     `json:"syscalls,omitempty"`
 }
 
 // Arch used for additional architectures
 type Arch string
 
+// LinuxSeccompFlag is a flag to pass to seccomp(2).
+type LinuxSeccompFlag string
+
 // Additional architectures permitted to be used for system calls
 // By default only the native architecture of the kernel is permitted
 const (
