From af36d746ba1b094b76888cd79e446219de4b727e Mon Sep 17 00:00:00 2001
From: Mrunal Patel <mrunalp@gmail.com>
Date: Thu, 30 Jul 2015 16:40:28 -0400
Subject: [PATCH 1/2] Add Apparmor, Selinux and Seccomp sections

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
---
 config-linux.md | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/config-linux.md b/config-linux.md
index bc1924824..d6ff68317 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -143,7 +143,7 @@ the container. For more information, see the [kernel cgroups documentation](http
 ## Linux capabilities
 
 Capabilities is an array that specifies Linux capabilities that can be provided to the process
-inside the container. Valid values are the string after `CAP_` for capabilities defined 
+inside the container. Valid values are the string after `CAP_` for capabilities defined
 in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)
 
 ```json
@@ -208,7 +208,39 @@ rootfsPropagation sets the rootfs's mount propagation. Its value is either slave
     "rootfsPropagation": "slave",
 ```
 
-## Security
+## Selinux process label
 
-**TODO:** security profiles
+Selinux process label specifies the label with which the processes in a container are run.
+For more information about SELinux, see  [Selinux documentation](http://selinuxproject.org/page/Main_Page)
+```json
+   "selinuxProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675"
+```
+
+## Apparmor profile
+
+Apparmor profile specifies the name of the apparmor profile that will be used for the container.
+For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor)
+
+```json
+   "apparmorProfile": "acme_secure_profile"
+```
+
+## Seccomp
+
+Seccomp provides application sandboxing mechanism in the Linux kernel.
+Seccomp configuration allows one to configure actions to take for matched syscalls and furthermore also allows
+matching on values passed as arguments to syscalls.
+For more information about Seccomp, see [Seccomp kernel documentation](https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt)
+The actions and operators are strings that match the definitions in seccomp.h from [libseccomp](https://github.com/seccomp/libseccomp) and are translated to corresponding values.
 
+```json
+   "seccomp": {
+       "defaultAction": "SCMP_ACT_ALLOW",
+       "syscalls": [
+           {
+               "name": "getcwd",
+               "action": "SCMP_ACT_ERRNO"
+           }
+       ]
+   }
+```

From 63d3d272cb444b056bf2a8513f547e723a19aed6 Mon Sep 17 00:00:00 2001
From: Mrunal Patel <mrunalp@gmail.com>
Date: Thu, 30 Jul 2015 16:40:51 -0400
Subject: [PATCH 2/2] Add Apparmor, Selinux and Seccomp

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
---
 spec_linux.go | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/spec_linux.go b/spec_linux.go
index 7d08dc3f1..9319c99ac 100644
--- a/spec_linux.go
+++ b/spec_linux.go
@@ -30,6 +30,12 @@ type Linux struct {
 	Capabilities []string `json:"capabilities"`
 	// Devices are a list of device nodes that are created and enabled for the container
 	Devices []Device `json:"devices"`
+	// ApparmorProfile specified the apparmor profile for the container.
+	ApparmorProfile string `json:"apparmorProfile"`
+	// SelinuxProcessLabel specifies the selinux context that the container process is run as.
+	SelinuxProcessLabel string `json:"selinuxProcessLabel"`
+	// Seccomp specifies the seccomp security settings for the container.
+	Seccomp Seccomp `json:"seccomp"`
 	// RootfsPropagation is the rootfs mount propagation mode for the container
 	RootfsPropagation string `json:"rootfsPropagation"`
 }
@@ -178,3 +184,30 @@ type Device struct {
 	// Gid of the device.
 	GID uint32 `json:"gid"`
 }
+
+// Seccomp represents syscall restrictions
+type Seccomp struct {
+	DefaultAction Action     `json:"defaultAction"`
+	Syscalls      []*Syscall `json:"syscalls"`
+}
+
+// Action taken upon Seccomp rule match
+type Action string
+
+// Operator used to match syscall arguments in Seccomp
+type Operator string
+
+// Arg used for matching specific syscall arguments in Seccomp
+type Arg struct {
+	Index    uint     `json:"index"`
+	Value    uint64   `json:"value"`
+	ValueTwo uint64   `json:"valueTwo"`
+	Op       Operator `json:"op"`
+}
+
+// Syscall is used to match a syscall in Seccomp
+type Syscall struct {
+	Name   string `json:"name"`
+	Action Action `json:"action"`
+	Args   []*Arg `json:"args"`
+}