diff options
| author | Daniel Golle | 2020-11-15 23:58:44 +0000 |
|---|---|---|
| committer | Daniel Golle | 2020-11-17 13:05:12 +0000 |
| commit | c110405181056f14956ccd097b8e4ffe97b2f3ec (patch) | |
| tree | 97c24da9943dd5633e5eb2771eecd05bfd840f7b | |
| parent | d352e6e97fc5ce2b821b4f363ec545a4d7bdf783 (diff) | |
| download | procd-c110405181056f14956ccd097b8e4ffe97b2f3ec.tar.gz | |
trace: switch to OCI seccomp JSON output
Generate JSON as specified on OCI runtime spec for seccomp syscall
filter instead of our previous OpenWrt-specific format.
[1]: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#seccomp
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
| -rw-r--r-- | trace/trace.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/trace/trace.c b/trace/trace.c index 93554f7..977396a 100644 --- a/trace/trace.c +++ b/trace/trace.c @@ -113,7 +113,7 @@ static int cmp_count(const void *a, const void *b) static void print_syscalls(int policy, const char *json) { - void *c; + void *c, *d, *e; int i; if (mode == UTRACE) { @@ -134,7 +134,10 @@ static void print_syscalls(int policy, const char *json) qsort(sorted, SYSCALL_COUNT, sizeof(sorted[0]), cmp_count); blob_buf_init(&b, 0); - c = blobmsg_open_array(&b, "whitelist"); + blobmsg_add_string(&b, "defaultAction", "SCMP_ACT_KILL_PROCESS"); + c = blobmsg_open_array(&b, "syscalls"); + d = blobmsg_open_table(&b, ""); + e = blobmsg_open_array(&b, "names"); for (i = 0; i < SYSCALL_COUNT; i++) { int sc = sorted[i].syscall; @@ -149,12 +152,14 @@ static void print_syscalls(int policy, const char *json) ULOG_ERR("no name found for syscall(%d)\n", sc); } } + blobmsg_close_array(&b, e); + blobmsg_add_string(&b, "action", "SCMP_ACT_ALLOW"); + blobmsg_close_table(&b, d); blobmsg_close_array(&b, c); - blobmsg_add_u32(&b, "policy", policy); if (json) { FILE *fp = fopen(json, "w"); if (fp) { - fprintf(fp, "%s", blobmsg_format_json_indent(b.head, true, 0)); + fprintf(fp, "%s\n", blobmsg_format_json_indent(b.head, true, 0)); fclose(fp); ULOG_INFO("saving syscall trace to %s\n", json); } else { |