From 7dad383ee9e5b2bed24b614ab8ca8140d40bd699 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Wed, 12 Apr 2017 10:03:10 -0700 Subject: [PATCH] config-linux: Make linux.seccomp.syscalls OPTIONAL Before this commit, linux.seccomp.sycalls was required, but we didn't require an entry in the array. That means '"syscalls": []' would be technically valid, and I'm pretty sure that's not what we want. If it makes sense to have a seccomp property that does not need syscalls entries, then syscalls should be optional (which is what this commit is doing). If it does not makes sense to have an empty/unset syscalls then it should be required and have a minimum length of one. Before 652323c (improve seccomp format to be more expressive, 2017-01-13, #657), syscalls was omitempty (and therefore more optional-feeling, although there was no real Markdown spec for seccomp before 3ca5c6c, config-linux.md: fix seccomp, 2017-03-02, #706, so it's hard to know). This commit has gone with OPTIONAL, because a seccomp config which only sets defaultAction seems potentially valid. Signed-off-by: W. Trevor King --- config-linux.md | 2 +- specs-go/config.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config-linux.md b/config-linux.md index 873982fc2..dc5cc3aa7 100644 --- a/config-linux.md +++ b/config-linux.md @@ -610,7 +610,7 @@ The following parameters can be specified to setup seccomp: * `SCMP_ARCH_PARISC` * `SCMP_ARCH_PARISC64` -* **`syscalls`** *(array of objects, REQUIRED)* - match a syscall in seccomp. +* **`syscalls`** *(array of objects, OPTIONAL)* - match a syscall in seccomp. Each entry has the following structure: diff --git a/specs-go/config.go b/specs-go/config.go index 70d708d23..ded283428 100644 --- a/specs-go/config.go +++ b/specs-go/config.go @@ -484,7 +484,7 @@ type WindowsNetworkResources struct { type LinuxSeccomp struct { DefaultAction LinuxSeccompAction `json:"defaultAction"` Architectures []Arch `json:"architectures,omitempty"` - Syscalls []LinuxSyscall `json:"syscalls"` + Syscalls []LinuxSyscall `json:"syscalls,omitempty"` } // Arch used for additional architectures