From caca8409727da48f0c884f52410c57fc66ae125d Mon Sep 17 00:00:00 2001
From: Michael Crosby <crosbymichael@gmail.com>
Date: Thu, 12 Nov 2015 17:03:53 -0800
Subject: [PATCH] Add seccomp trace support

Closes #347

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
---
 libcontainer/configs/config.go        | 5 +++--
 libcontainer/seccomp/config.go        | 1 +
 libcontainer/seccomp/seccomp_linux.go | 3 +++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index 3a76732b969..069daae2935 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -33,17 +33,18 @@ type Seccomp struct {
 type Action int
 
 const (
-	Kill Action = iota - 4
+	Kill Action = iota + 1
 	Errno
 	Trap
 	Allow
+	Trace
 )
 
 // A comparison operator to be used when matching syscall arguments in Seccomp
 type Operator int
 
 const (
-	EqualTo Operator = iota
+	EqualTo Operator = iota + 1
 	NotEqualTo
 	GreaterThan
 	GreaterThanOrEqualTo
diff --git a/libcontainer/seccomp/config.go b/libcontainer/seccomp/config.go
index 5a3d016d96f..3b9a7595f2b 100644
--- a/libcontainer/seccomp/config.go
+++ b/libcontainer/seccomp/config.go
@@ -21,6 +21,7 @@ var actions = map[string]configs.Action{
 	"SCMP_ACT_ERRNO": configs.Errno,
 	"SCMP_ACT_TRAP":  configs.Trap,
 	"SCMP_ACT_ALLOW": configs.Allow,
+	"SCMP_ACT_TRACE": configs.Trace,
 }
 
 var archs = map[string]string{
diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go
index 1e9ccf8f2db..aff1b63a53a 100644
--- a/libcontainer/seccomp/seccomp_linux.go
+++ b/libcontainer/seccomp/seccomp_linux.go
@@ -15,6 +15,7 @@ var (
 	actAllow = libseccomp.ActAllow
 	actTrap  = libseccomp.ActTrap
 	actKill  = libseccomp.ActKill
+	actTrace = libseccomp.ActTrace.SetReturnCode(int16(syscall.EPERM))
 	actErrno = libseccomp.ActErrno.SetReturnCode(int16(syscall.EPERM))
 )
 
@@ -83,6 +84,8 @@ func getAction(act configs.Action) (libseccomp.ScmpAction, error) {
 		return actTrap, nil
 	case configs.Allow:
 		return actAllow, nil
+	case configs.Trace:
+		return actTrace, nil
 	default:
 		return libseccomp.ActInvalid, fmt.Errorf("invalid action, cannot use in rule")
 	}