Hey runc maintainers 👋, I really would like to re-use the runc seccomp profile validation in libcontainer/seccomp/seccomp_linux.go, but without loading the profile at all. This could be re-used for higher level profile validation in other libraries.
My proposal would be that we move most of the code into a different library or make it public in libcontainer. Both approaches would mean a refactoring of the API in any case. I'm thinking about two new functions:
ValidateSeccompProfile(profile string) - unmarshal the profile into the Seccomp struct and try BuildFilter()BuildFilter(profile *Seccomp) - validates the profile further and builds the filter
InitSeccomp(*Seccomp) would then also use BuildFilter() but additionally runs filter.Load().
What do you think about this? I think this way we could also work on better testing around the seccomp profile validation.
Hey runc maintainers 👋, I really would like to re-use the runc seccomp profile validation in
libcontainer/seccomp/seccomp_linux.go, but without loading the profile at all. This could be re-used for higher level profile validation in other libraries.My proposal would be that we move most of the code into a different library or make it public in libcontainer. Both approaches would mean a refactoring of the API in any case. I'm thinking about two new functions:
ValidateSeccompProfile(profile string)- unmarshal the profile into theSeccompstruct and tryBuildFilter()BuildFilter(profile *Seccomp)- validates the profile further and builds the filterInitSeccomp(*Seccomp)would then also useBuildFilter()but additionally runsfilter.Load().What do you think about this? I think this way we could also work on better testing around the seccomp profile validation.