vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Move seccomp enabled check into seccomp package

Browse source 
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
This commit is contained in:
Andrew Pilloud 2017-02-21 16:39:31 -08:00
parent 44e7e88ff3
commit 2bb4191047
3 changed files with 23 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

17
server/seccomp/seccomp.go
View file

@ -6,6 +6,7 @@ import (
"encoding/json"
"errors"
"fmt"
"syscall"
"github.com/docker/docker/pkg/stringutils"
specs "github.com/opencontainers/runtime-spec/specs-go"
@ -13,6 +14,22 @@ import (
libseccomp "github.com/seccomp/libseccomp-golang"
)
// IsEnabled returns true if seccomp is enabled for the host.
func IsEnabled() bool {
// seccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
const seccompModeFilter = uintptr(2)
var enabled bool
// Check if Seccomp is supported, via CONFIG_SECCOMP.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, seccompModeFilter, 0); err != syscall.EINVAL {
enabled = true
}
}
return enabled
}
// LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec.
func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error {
return setupSeccomp(&config, specgen)