test: add a custom binary to reliable check seccomp support

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

.gitignore

@@ -11,3 +11,4 @@ ocid.conf
 test/bin2img/bin2img
 test/copyimg/copyimg
 test/testdata/redis-image
+test/checkseccomp/checkseccomp

Makefile

@@ -50,6 +50,9 @@ bin2img:
 copyimg:
 	make -C test/$@
 
+checkseccomp:
+	make -C test/$@
+
 ocid:
 ifndef GOPATH
 	$(error GOPATH is not set)
@@ -82,6 +85,7 @@ clean:
 	make -C pause clean
 	make -C test/bin2img clean
 	make -C test/copyimg clean
+	make -C test/checkseccomp clean
 
 ocidimage:
 	docker build -t ${OCID_IMAGE} .
@@ -95,7 +99,7 @@ integration: ocidimage
 localintegration: binaries
 	./test/test_runner.sh ${TESTFLAGS}
 
-binaries: ocid ocic kpod conmon pause bin2img copyimg
+binaries: ocid ocic kpod conmon pause bin2img copyimg checkseccomp
 
 MANPAGES_MD := $(wildcard docs/*.md)
 MANPAGES    := $(MANPAGES_MD:%.md=%)
@@ -191,6 +195,7 @@ install.tools: .install.gitvalidation .install.gometalinter .install.md2man
 .PHONY: \
 	bin2img \
 	binaries \
+	checkseccomp \
 	clean \
 	conmon \
 	copyimg \

test/checkseccomp/Makefile

@@ -0,0 +1,6 @@
+checkseccomp: $(wildcard *.go)
+	go build -o $@
+
+.PHONY: clean
+	clean:
+	rm -f checkseccomp

test/checkseccomp/checkseccomp.go

@@ -0,0 +1,22 @@
+package main
+
+import (
+	"os"
+	"syscall"
+)
+
+const (
+	// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
+	SeccompModeFilter = uintptr(2)
+)
+
+func main() {
+	// Check if Seccomp is supported, via CONFIG_SECCOMP.
+	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
+		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+		if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
+			os.Exit(0)
+		}
+	}
+	os.Exit(1)
+}