Merge pull request #19 from vrothberg/consistency-check

Consistency check

.circleci/config.yml

@@ -47,13 +47,13 @@ jobs:
       - persist_to_workspace:
           root: .
           paths:
-            - default.json
+            - seccomp.json
       - store_artifacts:
           path: generate
           destination: generate
       - store_artifacts:
-          path: default.json
-          destination: default.json
+          path: seccomp.json
+          destination: seccomp.json
 
   unit-tests:
     executor: container
@@ -76,6 +76,7 @@ jobs:
   vendor:
     executor: container
     steps:
+      - <<: *prepare-env
       - checkout
       - restore_cache:
           keys:
@@ -85,6 +86,11 @@ jobs:
           command: |
             make vendor
             hack/tree_status.sh
+      - run:
+          name: check profile consistency
+          command: |
+            make seccomp.json
+            git diff --exit-code
       - save_cache:
           key: v1-vendor-{{ checksum "go.sum" }}
           paths:

.gitignore

@@ -1,2 +1,2 @@
-default.json
 *.orig
+generate

Makefile

@@ -7,12 +7,13 @@ PACKAGE := github.com/seccomp/containers-golang
 
 sources := $(wildcard *.go)
 
-default.json: $(sources)
+.PHONY: seccomp.json
+seccomp.json: $(sources)
 	$(GO) build -compiler gc $(BUILDFLAGS) ./cmd/generate.go
 	$(GO) build -compiler gc ./cmd/generate.go
 	$(GO) run ${BUILDFLAGS} cmd/generate.go
 
-all: default.json
+all: seccomp.json
 
 .PHONY: test-unit
 test-unit:
@@ -28,4 +29,4 @@ vendor:
 
 .PHONY: clean
 clean:
-	rm -f default.json generate
+	rm -f generate

README.md

@@ -7,7 +7,7 @@
 seccomp (short for secure computing mode) is a BPF based syscall filter language and present a more conventional function-call based filtering interface that should be familiar to, and easily adopted by, application developers.
 
 ## Building
-   make - Generates default.json file, which containes the whitelisted syscalls that can be used by container runtime engines like [CRI-O][cri-o], [Buildah][buildah], [Podman][podman] and [Docker][docker], and container runtimes like OCI [Runc][runc] to controll the syscalls available to containers.
+   make - Generates seccomp.json file, which contains the whitelisted syscalls that can be used by container runtime engines like [CRI-O][cri-o], [Buildah][buildah], [Podman][podman] and [Docker][docker], and container runtimes like OCI [Runc][runc] to controll the syscalls available to containers.
 
 ### Supported build tags
 

cmd/generate.go

@@ -18,7 +18,7 @@ func main() {
 	if err != nil {
 		panic(err)
 	}
-	f := filepath.Join(wd, "default.json")
+	f := filepath.Join(wd, "seccomp.json")
 
 	// write the default profile to the file
 	b, err := json.MarshalIndent(seccomp.DefaultProfile(), "", "\t")

seccomp.json

@@ -194,6 +194,7 @@
 				"mlockall",
 				"mmap",
 				"mmap2",
+				"mount",
 				"mprotect",
 				"mq_getsetattr",
 				"mq_notify",
@@ -210,6 +211,7 @@
 				"munlock",
 				"munlockall",
 				"munmap",
+				"name_to_handle_at",
 				"nanosleep",
 				"newfstatat",
 				"_newselect",
@@ -234,6 +236,7 @@
 				"readlink",
 				"readlinkat",
 				"readv",
+				"reboot",
 				"recv",
 				"recvfrom",
 				"recvmmsg",
@@ -347,6 +350,7 @@
 				"truncate64",
 				"ugetrlimit",
 				"umask",
+				"umount",
 				"uname",
 				"unlink",
 				"unlinkat",
@@ -359,12 +363,7 @@
 				"waitid",
 				"waitpid",
 				"write",
-				"writev",
-				"mount",
-				"umount2",
-				"reboot",
-				"name_to_handle_at",
-				"unshare"
+				"writev"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"args": [],
@@ -770,4 +769,4 @@
 			"excludes": {}
 		}
 	]
-}
+}

seccomp_test.go

@@ -25,7 +25,7 @@ func TestLoadProfile(t *testing.T) {
 }
 
 func TestLoadDefaultProfile(t *testing.T) {
-	f, err := ioutil.ReadFile("default.json")
+	f, err := ioutil.ReadFile("seccomp.json")
 	if err != nil {
 		t.Fatal(err)
 	}