From 44e7e88ff365da02237e672762f88bf53891585c Mon Sep 17 00:00:00 2001 From: Andrew Pilloud Date: Tue, 21 Feb 2017 16:21:04 -0800 Subject: [PATCH 1/3] Run without seccomp support Signed-off-by: Andrew Pilloud --- server/sandbox_run.go | 4 ++++ server/server.go | 18 ++++++++++-------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 885c7c07..7cff2f3e 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -326,6 +326,10 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest } } + if !s.seccompEnabled { + g.Spec().Linux.Seccomp = nil + } + saveOptions := generate.ExportOptions{} mountPoint, err := s.storage.StartContainer(id) if err != nil { diff --git a/server/server.go b/server/server.go index 6ef6012b..d9e30e8a 100644 --- a/server/server.go +++ b/server/server.go @@ -495,15 +495,17 @@ func New(config *Config) (*Server, error) { appArmorEnabled: apparmor.IsEnabled(), appArmorProfile: config.ApparmorProfile, } - seccompProfile, err := ioutil.ReadFile(config.SeccompProfile) - if err != nil { - return nil, fmt.Errorf("opening seccomp profile (%s) failed: %v", config.SeccompProfile, err) + if s.seccompEnabled { + seccompProfile, err := ioutil.ReadFile(config.SeccompProfile) + if err != nil { + return nil, fmt.Errorf("opening seccomp profile (%s) failed: %v", config.SeccompProfile, err) + } + var seccompConfig seccomp.Seccomp + if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil { + return nil, fmt.Errorf("decoding seccomp profile failed: %v", err) + } + s.seccompProfile = seccompConfig } - var seccompConfig seccomp.Seccomp - if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil { - return nil, fmt.Errorf("decoding seccomp profile failed: %v", err) - } - s.seccompProfile = seccompConfig if s.appArmorEnabled && s.appArmorProfile == apparmor.DefaultApparmorProfile { if err := apparmor.EnsureDefaultApparmorProfile(); err != nil { From 2bb41910478f281c1001a1a0408c2e2006f077ad Mon Sep 17 00:00:00 2001 From: Andrew Pilloud Date: Tue, 21 Feb 2017 16:39:31 -0800 Subject: [PATCH 2/3] Move seccomp enabled check into seccomp package Signed-off-by: Andrew Pilloud --- server/seccomp/seccomp.go | 17 +++++++++++++++++ server/seccomp/seccomp_unsupported.go | 5 +++++ server/server.go | 20 +------------------- 3 files changed, 23 insertions(+), 19 deletions(-) diff --git a/server/seccomp/seccomp.go b/server/seccomp/seccomp.go index 2d4c9480..e9ec6cf1 100644 --- a/server/seccomp/seccomp.go +++ b/server/seccomp/seccomp.go @@ -6,6 +6,7 @@ import ( "encoding/json" "errors" "fmt" + "syscall" "github.com/docker/docker/pkg/stringutils" specs "github.com/opencontainers/runtime-spec/specs-go" @@ -13,6 +14,22 @@ import ( libseccomp "github.com/seccomp/libseccomp-golang" ) +// IsEnabled returns true if seccomp is enabled for the host. +func IsEnabled() bool { + // seccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER. + const seccompModeFilter = uintptr(2) + + var enabled bool + // Check if Seccomp is supported, via CONFIG_SECCOMP. + if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL { + // Make sure the kernel has CONFIG_SECCOMP_FILTER. + if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, seccompModeFilter, 0); err != syscall.EINVAL { + enabled = true + } + } + return enabled +} + // LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec. func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error { return setupSeccomp(&config, specgen) diff --git a/server/seccomp/seccomp_unsupported.go b/server/seccomp/seccomp_unsupported.go index 7ea2417f..efb36bdf 100644 --- a/server/seccomp/seccomp_unsupported.go +++ b/server/seccomp/seccomp_unsupported.go @@ -4,6 +4,11 @@ package seccomp import "github.com/opencontainers/runtime-tools/generate" +// IsEnabled returns false, when build without seccomp build tag. +func IsEnabled() bool { + return false +} + // LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec. func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error { return nil diff --git a/server/server.go b/server/server.go index d9e30e8a..f1d17450 100644 --- a/server/server.go +++ b/server/server.go @@ -6,7 +6,6 @@ import ( "io/ioutil" "os" "sync" - "syscall" "github.com/Sirupsen/logrus" "github.com/containers/image/types" @@ -425,23 +424,6 @@ func (s *Server) releaseContainerName(name string) { s.ctrNameIndex.Release(name) } -const ( - // SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER. - SeccompModeFilter = uintptr(2) -) - -func seccompEnabled() bool { - var enabled bool - // Check if Seccomp is supported, via CONFIG_SECCOMP. - if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL { - // Make sure the kernel has CONFIG_SECCOMP_FILTER. - if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL { - enabled = true - } - } - return enabled -} - // Shutdown attempts to shut down the server's storage cleanly func (s *Server) Shutdown() error { _, err := s.store.Shutdown(false) @@ -491,7 +473,7 @@ func New(config *Config) (*Server, error) { sandboxes: sandboxes, containers: containers, }, - seccompEnabled: seccompEnabled(), + seccompEnabled: seccomp.IsEnabled(), appArmorEnabled: apparmor.IsEnabled(), appArmorProfile: config.ApparmorProfile, } From 4ce17f893add55b9a87960ee34b6e97ed4bfd70d Mon Sep 17 00:00:00 2001 From: Andrew Pilloud Date: Wed, 22 Feb 2017 10:18:56 -0800 Subject: [PATCH 3/3] Change bool style Signed-off-by: Andrew Pilloud --- server/seccomp/seccomp.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/seccomp/seccomp.go b/server/seccomp/seccomp.go index e9ec6cf1..17f86195 100644 --- a/server/seccomp/seccomp.go +++ b/server/seccomp/seccomp.go @@ -19,7 +19,7 @@ func IsEnabled() bool { // seccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER. const seccompModeFilter = uintptr(2) - var enabled bool + enabled := false // Check if Seccomp is supported, via CONFIG_SECCOMP. if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL { // Make sure the kernel has CONFIG_SECCOMP_FILTER.