Update runtime-spec to v1.0.0.rc5

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

vendor/github.com/opencontainers/runtime-tools/generate/generate.go

@@ -11,6 +11,7 @@ import (
 
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate/seccomp"
+	"github.com/opencontainers/runtime-tools/validate"
 	"github.com/syndtr/gocapability/capability"
 )
 
@@ -53,23 +54,89 @@ func New() Generator {
 				"TERM=xterm",
 			},
 			Cwd: "/",
-			Capabilities: []string{
-				"CAP_CHOWN",
-				"CAP_DAC_OVERRIDE",
-				"CAP_FSETID",
-				"CAP_FOWNER",
-				"CAP_MKNOD",
-				"CAP_NET_RAW",
-				"CAP_SETGID",
-				"CAP_SETUID",
-				"CAP_SETFCAP",
-				"CAP_SETPCAP",
-				"CAP_NET_BIND_SERVICE",
-				"CAP_SYS_CHROOT",
-				"CAP_KILL",
-				"CAP_AUDIT_WRITE",
+			Capabilities: &rspec.LinuxCapabilities{
+				Bounding: []string{
+					"CAP_CHOWN",
+					"CAP_DAC_OVERRIDE",
+					"CAP_FSETID",
+					"CAP_FOWNER",
+					"CAP_MKNOD",
+					"CAP_NET_RAW",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETFCAP",
+					"CAP_SETPCAP",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_SYS_CHROOT",
+					"CAP_KILL",
+					"CAP_AUDIT_WRITE",
+				},
+				Permitted: []string{
+					"CAP_CHOWN",
+					"CAP_DAC_OVERRIDE",
+					"CAP_FSETID",
+					"CAP_FOWNER",
+					"CAP_MKNOD",
+					"CAP_NET_RAW",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETFCAP",
+					"CAP_SETPCAP",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_SYS_CHROOT",
+					"CAP_KILL",
+					"CAP_AUDIT_WRITE",
+				},
+				Inheritable: []string{
+					"CAP_CHOWN",
+					"CAP_DAC_OVERRIDE",
+					"CAP_FSETID",
+					"CAP_FOWNER",
+					"CAP_MKNOD",
+					"CAP_NET_RAW",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETFCAP",
+					"CAP_SETPCAP",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_SYS_CHROOT",
+					"CAP_KILL",
+					"CAP_AUDIT_WRITE",
+				},
+				Effective: []string{
+					"CAP_CHOWN",
+					"CAP_DAC_OVERRIDE",
+					"CAP_FSETID",
+					"CAP_FOWNER",
+					"CAP_MKNOD",
+					"CAP_NET_RAW",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETFCAP",
+					"CAP_SETPCAP",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_SYS_CHROOT",
+					"CAP_KILL",
+					"CAP_AUDIT_WRITE",
+				},
+				Ambient: []string{
+					"CAP_CHOWN",
+					"CAP_DAC_OVERRIDE",
+					"CAP_FSETID",
+					"CAP_FOWNER",
+					"CAP_MKNOD",
+					"CAP_NET_RAW",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETFCAP",
+					"CAP_SETPCAP",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_SYS_CHROOT",
+					"CAP_KILL",
+					"CAP_AUDIT_WRITE",
+				},
 			},
-			Rlimits: []rspec.Rlimit{
+			Rlimits: []rspec.LinuxRlimit{
 				{
 					Type: "RLIMIT_NOFILE",
 					Hard: uint64(1024),
@@ -117,15 +184,15 @@ func New() Generator {
 			},
 		},
 		Linux: &rspec.Linux{
-			Resources: &rspec.Resources{
-				Devices: []rspec.DeviceCgroup{
+			Resources: &rspec.LinuxResources{
+				Devices: []rspec.LinuxDeviceCgroup{
 					{
 						Allow:  false,
-						Access: strPtr("rwm"),
+						Access: "rwm",
 					},
 				},
 			},
-			Namespaces: []rspec.Namespace{
+			Namespaces: []rspec.LinuxNamespace{
 				{
 					Type: "pid",
 				},
@@ -142,7 +209,7 @@ func New() Generator {
 					Type: "mount",
 				},
 			},
-			Devices: []rspec.Device{},
+			Devices: []rspec.LinuxDevice{},
 		},
 	}
 	spec.Linux.Seccomp = seccomp.DefaultProfile(&spec)
@@ -367,7 +434,7 @@ func (g *Generator) AddProcessRlimits(rType string, rHard uint64, rSoft uint64)
 		}
 	}
 
-	newRlimit := rspec.Rlimit{
+	newRlimit := rspec.LinuxRlimit{
 		Type: rType,
 		Hard: rHard,
 		Soft: rSoft,
@@ -394,7 +461,7 @@ func (g *Generator) ClearProcessRlimits() {
 	if g.spec == nil {
 		return
 	}
-	g.spec.Process.Rlimits = []rspec.Rlimit{}
+	g.spec.Process.Rlimits = []rspec.LinuxRlimit{}
 }
 
 // ClearProcessAdditionalGids clear g.spec.Process.AdditionalGids.
@@ -425,7 +492,7 @@ func (g *Generator) SetProcessSelinuxLabel(label string) {
 // SetLinuxCgroupsPath sets g.spec.Linux.CgroupsPath.
 func (g *Generator) SetLinuxCgroupsPath(path string) {
 	g.initSpecLinux()
-	g.spec.Linux.CgroupsPath = strPtr(path)
+	g.spec.Linux.CgroupsPath = path
 }
 
 // SetLinuxMountLabel sets g.spec.Linux.MountLabel.
@@ -453,7 +520,7 @@ func (g *Generator) SetLinuxResourcesCPUShares(shares uint64) {
 }
 
 // SetLinuxResourcesCPUQuota sets g.spec.Linux.Resources.CPU.Quota.
-func (g *Generator) SetLinuxResourcesCPUQuota(quota uint64) {
+func (g *Generator) SetLinuxResourcesCPUQuota(quota int64) {
 	g.initSpecLinuxResourcesCPU()
 	g.spec.Linux.Resources.CPU.Quota = &quota
 }
@@ -465,7 +532,7 @@ func (g *Generator) SetLinuxResourcesCPUPeriod(period uint64) {
 }
 
 // SetLinuxResourcesCPURealtimeRuntime sets g.spec.Linux.Resources.CPU.RealtimeRuntime.
-func (g *Generator) SetLinuxResourcesCPURealtimeRuntime(time uint64) {
+func (g *Generator) SetLinuxResourcesCPURealtimeRuntime(time int64) {
 	g.initSpecLinuxResourcesCPU()
 	g.spec.Linux.Resources.CPU.RealtimeRuntime = &time
 }
@@ -479,13 +546,13 @@ func (g *Generator) SetLinuxResourcesCPURealtimePeriod(period uint64) {
 // SetLinuxResourcesCPUCpus sets g.spec.Linux.Resources.CPU.Cpus.
 func (g *Generator) SetLinuxResourcesCPUCpus(cpus string) {
 	g.initSpecLinuxResourcesCPU()
-	g.spec.Linux.Resources.CPU.Cpus = &cpus
+	g.spec.Linux.Resources.CPU.Cpus = cpus
 }
 
 // SetLinuxResourcesCPUMems sets g.spec.Linux.Resources.CPU.Mems.
 func (g *Generator) SetLinuxResourcesCPUMems(mems string) {
 	g.initSpecLinuxResourcesCPU()
-	g.spec.Linux.Resources.CPU.Mems = &mems
+	g.spec.Linux.Resources.CPU.Mems = mems
 }
 
 // SetLinuxResourcesMemoryLimit sets g.spec.Linux.Resources.Memory.Limit.
@@ -539,7 +606,7 @@ func (g *Generator) AddLinuxResourcesNetworkPriorities(name string, prio uint32)
 			return
 		}
 	}
-	interfacePrio := new(rspec.InterfacePriority)
+	interfacePrio := new(rspec.LinuxInterfacePriority)
 	interfacePrio.Name = name
 	interfacePrio.Priority = prio
 	g.spec.Linux.Resources.Network.Priorities = append(g.spec.Linux.Resources.Network.Priorities, *interfacePrio)
@@ -559,7 +626,7 @@ func (g *Generator) DropLinuxResourcesNetworkPriorities(name string) {
 // SetLinuxResourcesPidsLimit sets g.spec.Linux.Resources.Pids.Limit.
 func (g *Generator) SetLinuxResourcesPidsLimit(limit int64) {
 	g.initSpecLinuxResourcesPids()
-	g.spec.Linux.Resources.Pids.Limit = &limit
+	g.spec.Linux.Resources.Pids.Limit = limit
 }
 
 // ClearLinuxSysctl clears g.spec.Linux.Sysctl.
@@ -589,12 +656,12 @@ func (g *Generator) ClearLinuxUIDMappings() {
 	if g.spec == nil || g.spec.Linux == nil {
 		return
 	}
-	g.spec.Linux.UIDMappings = []rspec.IDMapping{}
+	g.spec.Linux.UIDMappings = []rspec.LinuxIDMapping{}
 }
 
 // AddLinuxUIDMapping adds uidMap into g.spec.Linux.UIDMappings.
 func (g *Generator) AddLinuxUIDMapping(hid, cid, size uint32) {
-	idMapping := rspec.IDMapping{
+	idMapping := rspec.LinuxIDMapping{
 		HostID:      hid,
 		ContainerID: cid,
 		Size:        size,
@@ -609,12 +676,12 @@ func (g *Generator) ClearLinuxGIDMappings() {
 	if g.spec == nil || g.spec.Linux == nil {
 		return
 	}
-	g.spec.Linux.GIDMappings = []rspec.IDMapping{}
+	g.spec.Linux.GIDMappings = []rspec.LinuxIDMapping{}
 }
 
 // AddLinuxGIDMapping adds gidMap into g.spec.Linux.GIDMappings.
 func (g *Generator) AddLinuxGIDMapping(hid, cid, size uint32) {
-	idMapping := rspec.IDMapping{
+	idMapping := rspec.LinuxIDMapping{
 		HostID:      hid,
 		ContainerID: cid,
 		Size:        size,
@@ -705,7 +772,6 @@ func (g *Generator) AddCgroupsMount(mountCgroupOption string) error {
 	switch mountCgroupOption {
 	case "ro":
 	case "rw":
-		break
 	case "no":
 		return nil
 	default:
@@ -755,92 +821,125 @@ func (g *Generator) AddBindMount(source, dest string, options []string) {
 
 // SetupPrivileged sets up the privilege-related fields inside g.spec.
 func (g *Generator) SetupPrivileged(privileged bool) {
-	if privileged {
-		// Add all capabilities in privileged mode.
+	if privileged { // Add all capabilities in privileged mode.
 		var finalCapList []string
 		for _, cap := range capability.List() {
-			if g.HostSpecific && cap > lastCap() {
+			if g.HostSpecific && cap > validate.LastCap() {
 				continue
 			}
 			finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
 		}
 		g.initSpecLinux()
-		g.spec.Process.Capabilities = finalCapList
+		g.spec.Process.Capabilities.Bounding = finalCapList
+		g.spec.Process.Capabilities.Effective = finalCapList
+		g.spec.Process.Capabilities.Inheritable = finalCapList
+		g.spec.Process.Capabilities.Permitted = finalCapList
+		g.spec.Process.Capabilities.Ambient = finalCapList
 		g.spec.Process.SelinuxLabel = ""
 		g.spec.Process.ApparmorProfile = ""
 		g.spec.Linux.Seccomp = nil
 	}
 }
 
-func lastCap() capability.Cap {
-	last := capability.CAP_LAST_CAP
-	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
-	if last == capability.Cap(63) {
-		last = capability.CAP_BLOCK_SUSPEND
-	}
-
-	return last
-}
-
-func checkCap(c string, hostSpecific bool) error {
-	isValid := false
-	cp := strings.ToUpper(c)
-
-	for _, cap := range capability.List() {
-		if cp == strings.ToUpper(cap.String()) {
-			if hostSpecific && cap > lastCap() {
-				return fmt.Errorf("CAP_%s is not supported on the current host", cp)
-			}
-			isValid = true
-			break
-		}
-	}
-
-	if !isValid {
-		return fmt.Errorf("Invalid value passed for adding capability")
-	}
-	return nil
-}
-
 // ClearProcessCapabilities clear g.spec.Process.Capabilities.
 func (g *Generator) ClearProcessCapabilities() {
 	if g.spec == nil {
 		return
 	}
-	g.spec.Process.Capabilities = []string{}
+	g.spec.Process.Capabilities.Bounding = []string{}
+	g.spec.Process.Capabilities.Effective = []string{}
+	g.spec.Process.Capabilities.Inheritable = []string{}
+	g.spec.Process.Capabilities.Permitted = []string{}
+	g.spec.Process.Capabilities.Ambient = []string{}
 }
 
 // AddProcessCapability adds a process capability into g.spec.Process.Capabilities.
 func (g *Generator) AddProcessCapability(c string) error {
-	if err := checkCap(c, g.HostSpecific); err != nil {
+	cp := strings.ToUpper(c)
+	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
-	cp := fmt.Sprintf("CAP_%s", strings.ToUpper(c))
-
 	g.initSpec()
-	for _, cap := range g.spec.Process.Capabilities {
+
+	for _, cap := range g.spec.Process.Capabilities.Bounding {
 		if strings.ToUpper(cap) == cp {
 			return nil
 		}
 	}
+	g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding, cp)
+
+	for _, cap := range g.spec.Process.Capabilities.Effective {
+		if strings.ToUpper(cap) == cp {
+			return nil
+		}
+	}
+	g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective, cp)
+
+	for _, cap := range g.spec.Process.Capabilities.Inheritable {
+		if strings.ToUpper(cap) == cp {
+			return nil
+		}
+	}
+	g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable, cp)
+
+	for _, cap := range g.spec.Process.Capabilities.Permitted {
+		if strings.ToUpper(cap) == cp {
+			return nil
+		}
+	}
+	g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted, cp)
+
+	for _, cap := range g.spec.Process.Capabilities.Ambient {
+		if strings.ToUpper(cap) == cp {
+			return nil
+		}
+	}
+	g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient, cp)
 
-	g.spec.Process.Capabilities = append(g.spec.Process.Capabilities, cp)
 	return nil
 }
 
 // DropProcessCapability drops a process capability from g.spec.Process.Capabilities.
 func (g *Generator) DropProcessCapability(c string) error {
-	if err := checkCap(c, g.HostSpecific); err != nil {
+	cp := strings.ToUpper(c)
+	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
-	cp := fmt.Sprintf("CAP_%s", strings.ToUpper(c))
-
 	g.initSpec()
-	for i, cap := range g.spec.Process.Capabilities {
+
+	for i, cap := range g.spec.Process.Capabilities.Bounding {
 		if strings.ToUpper(cap) == cp {
-			g.spec.Process.Capabilities = append(g.spec.Process.Capabilities[:i], g.spec.Process.Capabilities[i+1:]...)
+			g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding[:i], g.spec.Process.Capabilities.Bounding[i+1:]...)
+			return nil
+		}
+	}
+
+	for i, cap := range g.spec.Process.Capabilities.Effective {
+		if strings.ToUpper(cap) == cp {
+			g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective[:i], g.spec.Process.Capabilities.Effective[i+1:]...)
+			return nil
+		}
+	}
+
+	for i, cap := range g.spec.Process.Capabilities.Inheritable {
+		if strings.ToUpper(cap) == cp {
+			g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable[:i], g.spec.Process.Capabilities.Inheritable[i+1:]...)
+			return nil
+		}
+	}
+
+	for i, cap := range g.spec.Process.Capabilities.Permitted {
+		if strings.ToUpper(cap) == cp {
+			g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted[:i], g.spec.Process.Capabilities.Permitted[i+1:]...)
+			return nil
+		}
+	}
+
+	for i, cap := range g.spec.Process.Capabilities.Ambient {
+		if strings.ToUpper(cap) == cp {
+			g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient[:i], g.spec.Process.Capabilities.Ambient[i+1:]...)
 			return nil
 		}
 	}
@@ -848,24 +947,24 @@ func (g *Generator) DropProcessCapability(c string) error {
 	return nil
 }
 
-func mapStrToNamespace(ns string, path string) (rspec.Namespace, error) {
+func mapStrToNamespace(ns string, path string) (rspec.LinuxNamespace, error) {
 	switch ns {
 	case "network":
-		return rspec.Namespace{Type: rspec.NetworkNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.NetworkNamespace, Path: path}, nil
 	case "pid":
-		return rspec.Namespace{Type: rspec.PIDNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.PIDNamespace, Path: path}, nil
 	case "mount":
-		return rspec.Namespace{Type: rspec.MountNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.MountNamespace, Path: path}, nil
 	case "ipc":
-		return rspec.Namespace{Type: rspec.IPCNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.IPCNamespace, Path: path}, nil
 	case "uts":
-		return rspec.Namespace{Type: rspec.UTSNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.UTSNamespace, Path: path}, nil
 	case "user":
-		return rspec.Namespace{Type: rspec.UserNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.UserNamespace, Path: path}, nil
 	case "cgroup":
-		return rspec.Namespace{Type: rspec.CgroupNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.CgroupNamespace, Path: path}, nil
 	default:
-		return rspec.Namespace{}, fmt.Errorf("Should not reach here!")
+		return rspec.LinuxNamespace{}, fmt.Errorf("Should not reach here!")
 	}
 }
 
@@ -874,7 +973,7 @@ func (g *Generator) ClearLinuxNamespaces() {
 	if g.spec == nil || g.spec.Linux == nil {
 		return
 	}
-	g.spec.Linux.Namespaces = []rspec.Namespace{}
+	g.spec.Linux.Namespaces = []rspec.LinuxNamespace{}
 }
 
 // AddOrReplaceLinuxNamespace adds or replaces a namespace inside
@@ -915,6 +1014,46 @@ func (g *Generator) RemoveLinuxNamespace(ns string) error {
 	return nil
 }
 
+// AddDevice - add a device into g.spec.Linux.Devices
+func (g *Generator) AddDevice(device rspec.LinuxDevice) {
+	g.initSpecLinux()
+
+	for i, dev := range g.spec.Linux.Devices {
+		if dev.Path == device.Path {
+			g.spec.Linux.Devices[i] = device
+			return
+		}
+		if dev.Type == device.Type && dev.Major == device.Major && dev.Minor == device.Minor {
+			fmt.Fprintln(os.Stderr, "WARNING: The same type, major and minor should not be used for multiple devices.")
+		}
+	}
+
+	g.spec.Linux.Devices = append(g.spec.Linux.Devices, device)
+}
+
+//RemoveDevice remove a device from g.spec.Linux.Devices
+func (g *Generator) RemoveDevice(path string) error {
+	if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Devices == nil {
+		return nil
+	}
+
+	for i, device := range g.spec.Linux.Devices {
+		if device.Path == path {
+			g.spec.Linux.Devices = append(g.spec.Linux.Devices[:i], g.spec.Linux.Devices[i+1:]...)
+			return nil
+		}
+	}
+	return nil
+}
+
+func (g *Generator) ClearLinuxDevices() {
+	if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Devices == nil {
+		return
+	}
+
+	g.spec.Linux.Devices = []rspec.LinuxDevice{}
+}
+
 // strPtr returns the pointer pointing to the string s.
 func strPtr(s string) *string { return &s }
 

vendor/github.com/opencontainers/runtime-tools/generate/seccomp/parse_action.go

@@ -20,7 +20,7 @@ type SyscallOpts struct {
 
 // ParseSyscallFlag takes a SyscallOpts struct and the seccomp configuration
 // and sets the new syscall rule accordingly
-func ParseSyscallFlag(args SyscallOpts, config *rspec.Seccomp) error {
+func ParseSyscallFlag(args SyscallOpts, config *rspec.LinuxSeccomp) error {
 	var arguments []string
 	if args.Index != "" && args.Value != "" && args.ValueTwo != "" && args.Operator != "" {
 		arguments = []string{args.Action, args.Syscall, args.Index, args.Value,
@@ -34,7 +34,7 @@ func ParseSyscallFlag(args SyscallOpts, config *rspec.Seccomp) error {
 		return fmt.Errorf("default action already set as %s", action)
 	}
 
-	var newSyscall rspec.Syscall
+	var newSyscall rspec.LinuxSyscall
 	numOfArgs := len(arguments)
 	if numOfArgs == 6 || numOfArgs == 2 {
 		argStruct, err := parseArguments(arguments[1:])
@@ -67,7 +67,7 @@ func ParseSyscallFlag(args SyscallOpts, config *rspec.Seccomp) error {
 	return nil
 }
 
-var actions = map[string]rspec.Action{
+var actions = map[string]rspec.LinuxSeccompAction{
 	"allow": rspec.ActAllow,
 	"errno": rspec.ActErrno,
 	"kill":  rspec.ActKill,
@@ -76,7 +76,7 @@ var actions = map[string]rspec.Action{
 }
 
 // Take passed action, return the SCMP_ACT_<ACTION> version of it
-func parseAction(action string) (rspec.Action, error) {
+func parseAction(action string) (rspec.LinuxSeccompAction, error) {
 	a, ok := actions[action]
 	if !ok {
 		return "", fmt.Errorf("unrecognized action: %s", action)
@@ -86,7 +86,7 @@ func parseAction(action string) (rspec.Action, error) {
 
 // ParseDefaultAction sets the default action of the seccomp configuration
 // and then removes any rules that were already specified with this action
-func ParseDefaultAction(action string, config *rspec.Seccomp) error {
+func ParseDefaultAction(action string, config *rspec.LinuxSeccomp) error {
 	if action == "" {
 		return nil
 	}
@@ -104,7 +104,7 @@ func ParseDefaultAction(action string, config *rspec.Seccomp) error {
 }
 
 // ParseDefaultActionForce simply sets the default action of the seccomp configuration
-func ParseDefaultActionForce(action string, config *rspec.Seccomp) error {
+func ParseDefaultActionForce(action string, config *rspec.LinuxSeccomp) error {
 	if action == "" {
 		return nil
 	}
@@ -117,9 +117,9 @@ func ParseDefaultActionForce(action string, config *rspec.Seccomp) error {
 	return nil
 }
 
-func newSyscallStruct(name string, action rspec.Action, args []rspec.Arg) rspec.Syscall {
-	syscallStruct := rspec.Syscall{
-		Name:   name,
+func newSyscallStruct(name string, action rspec.LinuxSeccompAction, args []rspec.LinuxSeccompArg) rspec.LinuxSyscall {
+	syscallStruct := rspec.LinuxSyscall{
+		Names:  []string{name},
 		Action: action,
 		Args:   args,
 	}

vendor/github.com/opencontainers/runtime-tools/generate/seccomp/parse_architecture.go

@@ -8,7 +8,7 @@ import (
 
 // ParseArchitectureFlag takes the raw string passed with the --arch flag, parses it
 // and updates the Seccomp config accordingly
-func ParseArchitectureFlag(architectureArg string, config *rspec.Seccomp) error {
+func ParseArchitectureFlag(architectureArg string, config *rspec.LinuxSeccomp) error {
 	correctedArch, err := parseArch(architectureArg)
 	if err != nil {
 		return err
@@ -39,6 +39,8 @@ func parseArch(arch string) (rspec.Arch, error) {
 		"mipsel":      rspec.ArchMIPSEL,
 		"mipsel64":    rspec.ArchMIPSEL64,
 		"mipsel64n32": rspec.ArchMIPSEL64N32,
+		"parisc":      rspec.ArchPARISC,
+		"parisc64":    rspec.ArchPARISC64,
 		"ppc":         rspec.ArchPPC,
 		"ppc64":       rspec.ArchPPC64,
 		"ppc64le":     rspec.ArchPPC64LE,

vendor/github.com/opencontainers/runtime-tools/generate/seccomp/parse_arguments.go

@@ -9,8 +9,8 @@ import (
 
 // parseArguments takes a list of arguments (delimArgs). It parses and fills out
 // the argument information and returns a slice of arg structs
-func parseArguments(delimArgs []string) ([]rspec.Arg, error) {
-	nilArgSlice := []rspec.Arg{}
+func parseArguments(delimArgs []string) ([]rspec.LinuxSeccompArg, error) {
+	nilArgSlice := []rspec.LinuxSeccompArg{}
 	numberOfArgs := len(delimArgs)
 
 	// No parameters passed with syscall
@@ -40,14 +40,14 @@ func parseArguments(delimArgs []string) ([]rspec.Arg, error) {
 			return nilArgSlice, err
 		}
 
-		argStruct := rspec.Arg{
+		argStruct := rspec.LinuxSeccompArg{
 			Index:    uint(syscallIndex),
 			Value:    syscallValue,
 			ValueTwo: syscallValueTwo,
 			Op:       syscallOp,
 		}
 
-		argSlice := []rspec.Arg{}
+		argSlice := []rspec.LinuxSeccompArg{}
 		argSlice = append(argSlice, argStruct)
 		return argSlice, nil
 	}
@@ -55,8 +55,8 @@ func parseArguments(delimArgs []string) ([]rspec.Arg, error) {
 	return nilArgSlice, fmt.Errorf("incorrect number of arguments passed with syscall: %d", numberOfArgs)
 }
 
-func parseOperator(operator string) (rspec.Operator, error) {
-	operators := map[string]rspec.Operator{
+func parseOperator(operator string) (rspec.LinuxSeccompOperator, error) {
+	operators := map[string]rspec.LinuxSeccompOperator{
 		"NE": rspec.OpNotEqual,
 		"LT": rspec.OpLessThan,
 		"LE": rspec.OpLessEqual,

vendor/github.com/opencontainers/runtime-tools/generate/seccomp/parse_remove.go

@@ -10,7 +10,7 @@ import (
 
 // RemoveAction takes the argument string that was passed with the --remove flag,
 // parses it, and updates the Seccomp config accordingly
-func RemoveAction(arguments string, config *rspec.Seccomp) error {
+func RemoveAction(arguments string, config *rspec.LinuxSeccomp) error {
 	if config == nil {
 		return fmt.Errorf("Cannot remove action from nil Seccomp pointer")
 	}
@@ -22,28 +22,27 @@ func RemoveAction(arguments string, config *rspec.Seccomp) error {
 		syscallsToRemove = append(syscallsToRemove, arguments)
 	}
 
-	for _, syscall := range syscallsToRemove {
-		for counter, syscallStruct := range config.Syscalls {
-			if syscallStruct.Name == syscall {
-				config.Syscalls = append(config.Syscalls[:counter], config.Syscalls[counter+1:]...)
-			}
+	for counter, syscallStruct := range config.Syscalls {
+		if reflect.DeepEqual(syscallsToRemove, syscallStruct.Names) {
+			config.Syscalls = append(config.Syscalls[:counter], config.Syscalls[counter+1:]...)
 		}
 	}
+
 	return nil
 }
 
 // RemoveAllSeccompRules removes all seccomp syscall rules
-func RemoveAllSeccompRules(config *rspec.Seccomp) error {
+func RemoveAllSeccompRules(config *rspec.LinuxSeccomp) error {
 	if config == nil {
 		return fmt.Errorf("Cannot remove action from nil Seccomp pointer")
 	}
-	newSyscallSlice := []rspec.Syscall{}
+	newSyscallSlice := []rspec.LinuxSyscall{}
 	config.Syscalls = newSyscallSlice
 	return nil
 }
 
 // RemoveAllMatchingRules will remove any syscall rules that match the specified action
-func RemoveAllMatchingRules(config *rspec.Seccomp, action string) error {
+func RemoveAllMatchingRules(config *rspec.LinuxSeccomp, action string) error {
 	if config == nil {
 		return fmt.Errorf("Cannot remove action from nil Seccomp pointer")
 	}
@@ -53,16 +52,11 @@ func RemoveAllMatchingRules(config *rspec.Seccomp, action string) error {
 		return err
 	}
 
-	syscallsToRemove := []string{}
 	for _, syscall := range config.Syscalls {
 		if reflect.DeepEqual(syscall.Action, seccompAction) {
-			syscallsToRemove = append(syscallsToRemove, syscall.Name)
+			RemoveAction(strings.Join(syscall.Names, ","), config)
 		}
 	}
 
-	for i := range syscallsToRemove {
-		RemoveAction(syscallsToRemove[i], config)
-	}
-
 	return nil
 }

vendor/github.com/opencontainers/runtime-tools/generate/seccomp/syscall_compare.go

@@ -11,12 +11,12 @@ import (
 
 // Determine if a new syscall rule should be appended, overwrite an existing rule
 // or if no action should be taken at all
-func decideCourseOfAction(newSyscall *rspec.Syscall, syscalls []rspec.Syscall) (string, error) {
+func decideCourseOfAction(newSyscall *rspec.LinuxSyscall, syscalls []rspec.LinuxSyscall) (string, error) {
 	ruleForSyscallAlreadyExists := false
 
 	var sliceOfDeterminedActions []string
 	for i, syscall := range syscalls {
-		if syscall.Name == newSyscall.Name {
+		if sameName(&syscall, newSyscall) {
 			ruleForSyscallAlreadyExists = true
 
 			if identical(newSyscall, &syscall) {
@@ -83,16 +83,16 @@ func decideCourseOfAction(newSyscall *rspec.Syscall, syscalls []rspec.Syscall) (
 	return "", fmt.Errorf("Trouble determining action: %s", sliceOfDeterminedActions)
 }
 
-func hasArguments(config *rspec.Syscall) bool {
-	nilSyscall := new(rspec.Syscall)
+func hasArguments(config *rspec.LinuxSyscall) bool {
+	nilSyscall := new(rspec.LinuxSyscall)
 	return !sameArgs(nilSyscall, config)
 }
 
-func identical(config1, config2 *rspec.Syscall) bool {
+func identical(config1, config2 *rspec.LinuxSyscall) bool {
 	return reflect.DeepEqual(config1, config2)
 }
 
-func identicalExceptAction(config1, config2 *rspec.Syscall) bool {
+func identicalExceptAction(config1, config2 *rspec.LinuxSyscall) bool {
 	samename := sameName(config1, config2)
 	sameAction := sameAction(config1, config2)
 	sameArgs := sameArgs(config1, config2)
@@ -100,7 +100,7 @@ func identicalExceptAction(config1, config2 *rspec.Syscall) bool {
 	return samename && !sameAction && sameArgs
 }
 
-func identicalExceptArgs(config1, config2 *rspec.Syscall) bool {
+func identicalExceptArgs(config1, config2 *rspec.LinuxSyscall) bool {
 	samename := sameName(config1, config2)
 	sameAction := sameAction(config1, config2)
 	sameArgs := sameArgs(config1, config2)
@@ -108,33 +108,33 @@ func identicalExceptArgs(config1, config2 *rspec.Syscall) bool {
 	return samename && sameAction && !sameArgs
 }
 
-func sameName(config1, config2 *rspec.Syscall) bool {
-	return config1.Name == config2.Name
+func sameName(config1, config2 *rspec.LinuxSyscall) bool {
+	return reflect.DeepEqual(config1.Names, config2.Names)
 }
 
-func sameAction(config1, config2 *rspec.Syscall) bool {
+func sameAction(config1, config2 *rspec.LinuxSyscall) bool {
 	return config1.Action == config2.Action
 }
 
-func sameArgs(config1, config2 *rspec.Syscall) bool {
+func sameArgs(config1, config2 *rspec.LinuxSyscall) bool {
 	return reflect.DeepEqual(config1.Args, config2.Args)
 }
 
-func bothHaveArgs(config1, config2 *rspec.Syscall) bool {
+func bothHaveArgs(config1, config2 *rspec.LinuxSyscall) bool {
 	return hasArguments(config1) && hasArguments(config2)
 }
 
-func onlyOneHasArgs(config1, config2 *rspec.Syscall) bool {
+func onlyOneHasArgs(config1, config2 *rspec.LinuxSyscall) bool {
 	conf1 := hasArguments(config1)
 	conf2 := hasArguments(config2)
 
 	return (conf1 && !conf2) || (!conf1 && conf2)
 }
 
-func neitherHasArgs(config1, config2 *rspec.Syscall) bool {
+func neitherHasArgs(config1, config2 *rspec.LinuxSyscall) bool {
 	return !hasArguments(config1) && !hasArguments(config2)
 }
 
-func firstParamOnlyHasArgs(config1, config2 *rspec.Syscall) bool {
+func firstParamOnlyHasArgs(config1, config2 *rspec.LinuxSyscall) bool {
 	return !hasArguments(config1) && hasArguments(config2)
 }

vendor/github.com/opencontainers/runtime-tools/generate/spec.go

@@ -34,41 +34,41 @@ func (g *Generator) initSpecLinuxSysctl() {
 func (g *Generator) initSpecLinuxSeccomp() {
 	g.initSpecLinux()
 	if g.spec.Linux.Seccomp == nil {
-		g.spec.Linux.Seccomp = &rspec.Seccomp{}
+		g.spec.Linux.Seccomp = &rspec.LinuxSeccomp{}
 	}
 }
 
 func (g *Generator) initSpecLinuxResources() {
 	g.initSpecLinux()
 	if g.spec.Linux.Resources == nil {
-		g.spec.Linux.Resources = &rspec.Resources{}
+		g.spec.Linux.Resources = &rspec.LinuxResources{}
 	}
 }
 
 func (g *Generator) initSpecLinuxResourcesCPU() {
 	g.initSpecLinuxResources()
 	if g.spec.Linux.Resources.CPU == nil {
-		g.spec.Linux.Resources.CPU = &rspec.CPU{}
+		g.spec.Linux.Resources.CPU = &rspec.LinuxCPU{}
 	}
 }
 
 func (g *Generator) initSpecLinuxResourcesMemory() {
 	g.initSpecLinuxResources()
 	if g.spec.Linux.Resources.Memory == nil {
-		g.spec.Linux.Resources.Memory = &rspec.Memory{}
+		g.spec.Linux.Resources.Memory = &rspec.LinuxMemory{}
 	}
 }
 
 func (g *Generator) initSpecLinuxResourcesNetwork() {
 	g.initSpecLinuxResources()
 	if g.spec.Linux.Resources.Network == nil {
-		g.spec.Linux.Resources.Network = &rspec.Network{}
+		g.spec.Linux.Resources.Network = &rspec.LinuxNetwork{}
 	}
 }
 
 func (g *Generator) initSpecLinuxResourcesPids() {
 	g.initSpecLinuxResources()
 	if g.spec.Linux.Resources.Pids == nil {
-		g.spec.Linux.Resources.Pids = &rspec.Pids{}
+		g.spec.Linux.Resources.Pids = &rspec.LinuxPids{}
 	}
 }