diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 885c7c07..7cff2f3e 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -326,6 +326,10 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest } } + if !s.seccompEnabled { + g.Spec().Linux.Seccomp = nil + } + saveOptions := generate.ExportOptions{} mountPoint, err := s.storage.StartContainer(id) if err != nil { diff --git a/server/seccomp/seccomp.go b/server/seccomp/seccomp.go index 2d4c9480..17f86195 100644 --- a/server/seccomp/seccomp.go +++ b/server/seccomp/seccomp.go @@ -6,6 +6,7 @@ import ( "encoding/json" "errors" "fmt" + "syscall" "github.com/docker/docker/pkg/stringutils" specs "github.com/opencontainers/runtime-spec/specs-go" @@ -13,6 +14,22 @@ import ( libseccomp "github.com/seccomp/libseccomp-golang" ) +// IsEnabled returns true if seccomp is enabled for the host. +func IsEnabled() bool { + // seccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER. + const seccompModeFilter = uintptr(2) + + enabled := false + // Check if Seccomp is supported, via CONFIG_SECCOMP. + if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL { + // Make sure the kernel has CONFIG_SECCOMP_FILTER. + if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, seccompModeFilter, 0); err != syscall.EINVAL { + enabled = true + } + } + return enabled +} + // LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec. func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error { return setupSeccomp(&config, specgen) diff --git a/server/seccomp/seccomp_unsupported.go b/server/seccomp/seccomp_unsupported.go index 7ea2417f..efb36bdf 100644 --- a/server/seccomp/seccomp_unsupported.go +++ b/server/seccomp/seccomp_unsupported.go @@ -4,6 +4,11 @@ package seccomp import "github.com/opencontainers/runtime-tools/generate" +// IsEnabled returns false, when build without seccomp build tag. +func IsEnabled() bool { + return false +} + // LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec. func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error { return nil diff --git a/server/server.go b/server/server.go index 6ef6012b..f1d17450 100644 --- a/server/server.go +++ b/server/server.go @@ -6,7 +6,6 @@ import ( "io/ioutil" "os" "sync" - "syscall" "github.com/Sirupsen/logrus" "github.com/containers/image/types" @@ -425,23 +424,6 @@ func (s *Server) releaseContainerName(name string) { s.ctrNameIndex.Release(name) } -const ( - // SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER. - SeccompModeFilter = uintptr(2) -) - -func seccompEnabled() bool { - var enabled bool - // Check if Seccomp is supported, via CONFIG_SECCOMP. - if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL { - // Make sure the kernel has CONFIG_SECCOMP_FILTER. - if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL { - enabled = true - } - } - return enabled -} - // Shutdown attempts to shut down the server's storage cleanly func (s *Server) Shutdown() error { _, err := s.store.Shutdown(false) @@ -491,19 +473,21 @@ func New(config *Config) (*Server, error) { sandboxes: sandboxes, containers: containers, }, - seccompEnabled: seccompEnabled(), + seccompEnabled: seccomp.IsEnabled(), appArmorEnabled: apparmor.IsEnabled(), appArmorProfile: config.ApparmorProfile, } - seccompProfile, err := ioutil.ReadFile(config.SeccompProfile) - if err != nil { - return nil, fmt.Errorf("opening seccomp profile (%s) failed: %v", config.SeccompProfile, err) + if s.seccompEnabled { + seccompProfile, err := ioutil.ReadFile(config.SeccompProfile) + if err != nil { + return nil, fmt.Errorf("opening seccomp profile (%s) failed: %v", config.SeccompProfile, err) + } + var seccompConfig seccomp.Seccomp + if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil { + return nil, fmt.Errorf("decoding seccomp profile failed: %v", err) + } + s.seccompProfile = seccompConfig } - var seccompConfig seccomp.Seccomp - if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil { - return nil, fmt.Errorf("decoding seccomp profile failed: %v", err) - } - s.seccompProfile = seccompConfig if s.appArmorEnabled && s.appArmorProfile == apparmor.DefaultApparmorProfile { if err := apparmor.EnsureDefaultApparmorProfile(); err != nil {