Move seccomp enabled check into seccomp package

Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-02-21 16:39:31 -08:00 · 2017-02-21 16:39:31 -08:00 · 2bb4191047
commit 2bb4191047
parent 44e7e88ff3
3 changed files with 23 additions and 19 deletions
--- a/server/seccomp/seccomp.go
+++ b/server/seccomp/seccomp.go
@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"syscall"

 	"github.com/docker/docker/pkg/stringutils"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
@ -13,6 +14,22 @@ import (
 	libseccomp "github.com/seccomp/libseccomp-golang"
 )

+// IsEnabled returns true if seccomp is enabled for the host.
+func IsEnabled() bool {
+	// seccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
+	const seccompModeFilter = uintptr(2)
+
+	var enabled bool
+	// Check if Seccomp is supported, via CONFIG_SECCOMP.
+	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
+		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+		if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, seccompModeFilter, 0); err != syscall.EINVAL {
+			enabled = true
+		}
+	}
+	return enabled
+}
+
 // LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec.
 func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error {
 	return setupSeccomp(&config, specgen)
--- a/server/seccomp/seccomp_unsupported.go
+++ b/server/seccomp/seccomp_unsupported.go
@ -4,6 +4,11 @@ package seccomp

 import "github.com/opencontainers/runtime-tools/generate"

+// IsEnabled returns false, when build without seccomp build tag.
+func IsEnabled() bool {
+	return false
+}
+
 // LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec.
 func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error {
 	return nil
--- a/server/server.go
+++ b/server/server.go
@ -6,7 +6,6 @@ import (
 	"io/ioutil"
 	"os"
 	"sync"
-	"syscall"

 	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/types"
@ -425,23 +424,6 @@ func (s *Server) releaseContainerName(name string) {
 	s.ctrNameIndex.Release(name)
 }

-const (
-	// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
-	SeccompModeFilter = uintptr(2)
-)
-
-func seccompEnabled() bool {
-	var enabled bool
-	// Check if Seccomp is supported, via CONFIG_SECCOMP.
-	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
-		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
-		if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
-			enabled = true
-		}
-	}
-	return enabled
-}
-
 // Shutdown attempts to shut down the server's storage cleanly
 func (s *Server) Shutdown() error {
 	_, err := s.store.Shutdown(false)
@ -491,7 +473,7 @@ func New(config *Config) (*Server, error) {
 			sandboxes:  sandboxes,
 			containers: containers,
 		},
-		seccompEnabled:  seccompEnabled(),
+		seccompEnabled:  seccomp.IsEnabled(),
 		appArmorEnabled: apparmor.IsEnabled(),
 		appArmorProfile: config.ApparmorProfile,
 	}