generate/seccomp: platform independent values#561
generate/seccomp: platform independent values#561liangchenye merged 1 commit intoopencontainers:masterfrom
Conversation
| import "syscall" | ||
|
|
||
| const ( | ||
| CLONE_NEWIPC = syscall.CLONE_NEWIPC |
There was a problem hiding this comment.
golint suggests CloneNewIPC, etc. Breaking consistency with syscall would be unfortunate, but I'd prefer CloneNewIPC over hoop-jumping to make golint accept CLONE_NEWIPC.
There was a problem hiding this comment.
fair, but I was hoping to stick to syscall format
|
please update the naming issue as golint suggest 'CLONE_NEWIPC ', other wise it looks good to me. |
| package seccomp | ||
|
|
||
| // These are copied from linux/amd64 syscall values, as a reference for other | ||
| // platforms to have access to |
There was a problem hiding this comment.
If these values were amd64-specific, that would be a problem, because folks generating configs for other arches from non-Linux systems would get the wrong values. But it turns out that these values are arch-independent. Maybe adjust this comment to point that out, possibly linking to the kerrnel?
| CLONE_NEWNS = 0x20000 | ||
| CLONE_NEWPID = 0x20000000 | ||
| CLONE_NEWUSER = 0x10000000 | ||
| CLONE_NEWUTS = 0x4000000 |
There was a problem hiding this comment.
You may want to add CloneNewCgroup = 0x02000000. We support the cgroup namespace since opencontainers/runtime-spec#397. I'm not sure why the seccomp lib doesn't need it (yet?), but I'd rather try to keep full new-namespace coverage.
There was a problem hiding this comment.
it's not even in the go syscall yet. I'm going to hold on this addition.
There was a problem hiding this comment.
it's not even in the go syscall yet. I'm going to hold on this addition.
syscall is end-of-life. It's in golang.org/x/sys/unix since golang/sys@b44883b47 (2016-06-09).
This default seccomp profile may need to be used/generated from non-linux platforms, though the use of syscall package confines the compile to linux only Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
vbatts
force-pushed
the
seccomp_platform
branch
from
edf485c to
e2fbc1b
Compare
|
updated. PTAL |
|
|
||
| package seccomp | ||
|
|
||
| import "syscall" |
There was a problem hiding this comment.
syscall is end-of-life:
NOTE: This package is locked down. Code outside the standard Go repository should be migrated to use the corresponding package in the golang.org/x/sys repository…
We already vendor golang.org/x/sys here; can we use that instead?
|
LGTM |
3 participants
This default seccomp profile may need to be used/generated from
non-linux platforms, though the use of syscall package confines the
compile to linux only
Signed-off-by: Vincent Batts vbatts@hashbangbash.com