Merge pull request #768 from wking/optional-syscalls

config-linux: Make linux.seccomp.syscalls OPTIONAL
opencontainers · Apr 26, 2017 · 138ad89 · 138ad89
2 parents c6bff91 + 42984e8
commit 138ad89
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 3 deletions.
diff --git a/config-linux.md b/config-linux.md
@@ -610,7 +610,10 @@ The following parameters can be specified to setup seccomp:
     * `SCMP_ARCH_PARISC`
     * `SCMP_ARCH_PARISC64`
 
-* **`syscalls`** *(array of objects, REQUIRED)* - match a syscall in seccomp.
+* **`syscalls`** *(array of objects, OPTIONAL)* - match a syscall in seccomp.
+
+    While this property is OPTIONAL, some values of `defaultAction` are not useful without `syscalls` entries.
+    For example, if `defaultAction` is `SCMP_ACT_KILL` and `syscalls` is empty or unset, the kernel will kill the container process on its first syscall.
 
     Each entry has the following structure:
 

diff --git a/schema/config-linux.json b/schema/config-linux.json
@@ -249,7 +249,10 @@
                             "$ref": "defs-linux.json#/definitions/Syscall"
                         }
                     }
-                }
+                },
+                "required": [
+                    "defaultAction"
+                ]
             },
             "sysctl": {
                 "id": "https://opencontainers.org/schema/bundle/linux/sysctl",

diff --git a/specs-go/config.go b/specs-go/config.go
@@ -484,7 +484,7 @@ type WindowsNetworkResources struct {
 type LinuxSeccomp struct {
 	DefaultAction LinuxSeccompAction `json:"defaultAction"`
 	Architectures []Arch             `json:"architectures,omitempty"`
-	Syscalls      []LinuxSyscall     `json:"syscalls"`
+	Syscalls      []LinuxSyscall     `json:"syscalls,omitempty"`
 }
 
 // Arch used for additional architectures