From e2fbc1b80c949a894e6c5a04999d85825c109860 Mon Sep 17 00:00:00 2001
From: Vincent Batts <vbatts@hashbangbash.com>
Date: Wed, 24 Jan 2018 05:11:03 -0500
Subject: [PATCH] generate/seccomp: platform independent values

This default seccomp profile may need to be used/generated from
non-linux platforms, though the use of syscall package confines the
compile to linux only

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
---
 generate/seccomp/seccomp_default.go             |  3 +--
 generate/seccomp/seccomp_default_linux.go       | 15 +++++++++++++++
 generate/seccomp/seccomp_default_unsupported.go | 15 +++++++++++++++
 3 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 generate/seccomp/seccomp_default_linux.go
 create mode 100644 generate/seccomp/seccomp_default_unsupported.go

diff --git a/generate/seccomp/seccomp_default.go b/generate/seccomp/seccomp_default.go
index 35b12cd65..5fee5a3b2 100644
--- a/generate/seccomp/seccomp_default.go
+++ b/generate/seccomp/seccomp_default.go
@@ -2,7 +2,6 @@ package seccomp
 
 import (
 	"runtime"
-	"syscall"
 
 	"github.com/opencontainers/runtime-spec/specs-go"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
@@ -513,7 +512,7 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
 				Args: []rspec.LinuxSeccompArg{
 					{
 						Index:    sysCloneFlagsIndex,
-						Value:    syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET,
+						Value:    CloneNewNS | CloneNewUTS | CloneNewIPC | CloneNewUser | CloneNewPID | CloneNewNet,
 						ValueTwo: 0,
 						Op:       rspec.OpMaskedEqual,
 					},
diff --git a/generate/seccomp/seccomp_default_linux.go b/generate/seccomp/seccomp_default_linux.go
new file mode 100644
index 000000000..311587437
--- /dev/null
+++ b/generate/seccomp/seccomp_default_linux.go
@@ -0,0 +1,15 @@
+// +build linux
+
+package seccomp
+
+import "syscall"
+
+// System values passed through on linux
+const (
+	CloneNewIPC  = syscall.CLONE_NEWIPC
+	CloneNewNet  = syscall.CLONE_NEWNET
+	CloneNewNS   = syscall.CLONE_NEWNS
+	CloneNewPID  = syscall.CLONE_NEWPID
+	CloneNewUser = syscall.CLONE_NEWUSER
+	CloneNewUTS  = syscall.CLONE_NEWUTS
+)
diff --git a/generate/seccomp/seccomp_default_unsupported.go b/generate/seccomp/seccomp_default_unsupported.go
new file mode 100644
index 000000000..589b81c16
--- /dev/null
+++ b/generate/seccomp/seccomp_default_unsupported.go
@@ -0,0 +1,15 @@
+// +build !linux
+
+package seccomp
+
+// These are copied from linux/amd64 syscall values, as a reference for other
+// platforms to have access to
+const (
+	CloneNewIPC    = 0x8000000
+	CloneNewNet    = 0x40000000
+	CloneNewNS     = 0x20000
+	CloneNewPID    = 0x20000000
+	CloneNewUser   = 0x10000000
+	CloneNewUTS    = 0x4000000
+	CloneNewCgroup = 0x02000000
+)