Merge pull request #368 from apilloud/no_seccomp

Run without seccomp
This commit is contained in:
Mrunal Patel 2017-02-22 12:01:17 -08:00 committed by GitHub
commit 860c5419fd
4 changed files with 37 additions and 27 deletions

View file

@ -326,6 +326,10 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
}
}
if !s.seccompEnabled {
g.Spec().Linux.Seccomp = nil
}
saveOptions := generate.ExportOptions{}
mountPoint, err := s.storage.StartContainer(id)
if err != nil {

View file

@ -6,6 +6,7 @@ import (
"encoding/json"
"errors"
"fmt"
"syscall"
"github.com/docker/docker/pkg/stringutils"
specs "github.com/opencontainers/runtime-spec/specs-go"
@ -13,6 +14,22 @@ import (
libseccomp "github.com/seccomp/libseccomp-golang"
)
// IsEnabled returns true if seccomp is enabled for the host.
func IsEnabled() bool {
// seccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
const seccompModeFilter = uintptr(2)
enabled := false
// Check if Seccomp is supported, via CONFIG_SECCOMP.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, seccompModeFilter, 0); err != syscall.EINVAL {
enabled = true
}
}
return enabled
}
// LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec.
func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error {
return setupSeccomp(&config, specgen)

View file

@ -4,6 +4,11 @@ package seccomp
import "github.com/opencontainers/runtime-tools/generate"
// IsEnabled returns false, when build without seccomp build tag.
func IsEnabled() bool {
return false
}
// LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec.
func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error {
return nil

View file

@ -6,7 +6,6 @@ import (
"io/ioutil"
"os"
"sync"
"syscall"
"github.com/Sirupsen/logrus"
"github.com/containers/image/types"
@ -425,23 +424,6 @@ func (s *Server) releaseContainerName(name string) {
s.ctrNameIndex.Release(name)
}
const (
// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
SeccompModeFilter = uintptr(2)
)
func seccompEnabled() bool {
var enabled bool
// Check if Seccomp is supported, via CONFIG_SECCOMP.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
enabled = true
}
}
return enabled
}
// Shutdown attempts to shut down the server's storage cleanly
func (s *Server) Shutdown() error {
_, err := s.store.Shutdown(false)
@ -491,19 +473,21 @@ func New(config *Config) (*Server, error) {
sandboxes: sandboxes,
containers: containers,
},
seccompEnabled: seccompEnabled(),
seccompEnabled: seccomp.IsEnabled(),
appArmorEnabled: apparmor.IsEnabled(),
appArmorProfile: config.ApparmorProfile,
}
seccompProfile, err := ioutil.ReadFile(config.SeccompProfile)
if err != nil {
return nil, fmt.Errorf("opening seccomp profile (%s) failed: %v", config.SeccompProfile, err)
if s.seccompEnabled {
seccompProfile, err := ioutil.ReadFile(config.SeccompProfile)
if err != nil {
return nil, fmt.Errorf("opening seccomp profile (%s) failed: %v", config.SeccompProfile, err)
}
var seccompConfig seccomp.Seccomp
if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil {
return nil, fmt.Errorf("decoding seccomp profile failed: %v", err)
}
s.seccompProfile = seccompConfig
}
var seccompConfig seccomp.Seccomp
if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil {
return nil, fmt.Errorf("decoding seccomp profile failed: %v", err)
}
s.seccompProfile = seccompConfig
if s.appArmorEnabled && s.appArmorProfile == apparmor.DefaultApparmorProfile {
if err := apparmor.EnsureDefaultApparmorProfile(); err != nil {