vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #368 from apilloud/no_seccomp

Browse source 
Run without seccomp
This commit is contained in:
Mrunal Patel 2017-02-22 12:01:17 -08:00 committed by GitHub
commit 860c5419fd
4 changed files with 37 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
server/sandbox_run.go
View file

@ -326,6 +326,10 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
} }
} }
if !s.seccompEnabled {
g.Spec().Linux.Seccomp = nil
}
saveOptions := generate.ExportOptions{} saveOptions := generate.ExportOptions{}
mountPoint, err := s.storage.StartContainer(id) mountPoint, err := s.storage.StartContainer(id)
if err != nil { if err != nil {

17
server/seccomp/seccomp.go
View file

@ -6,6 +6,7 @@ import (
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
"syscall"
"github.com/docker/docker/pkg/stringutils" "github.com/docker/docker/pkg/stringutils"
specs "github.com/opencontainers/runtime-spec/specs-go" specs "github.com/opencontainers/runtime-spec/specs-go"
@ -13,6 +14,22 @@ import (
libseccomp "github.com/seccomp/libseccomp-golang" libseccomp "github.com/seccomp/libseccomp-golang"
) )
// IsEnabled returns true if seccomp is enabled for the host.
func IsEnabled() bool {
// seccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
const seccompModeFilter = uintptr(2)
enabled := false
// Check if Seccomp is supported, via CONFIG_SECCOMP.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, seccompModeFilter, 0); err != syscall.EINVAL {
enabled = true
}
}
return enabled
}
// LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec. // LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec.
func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error { func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error {
return setupSeccomp(&config, specgen) return setupSeccomp(&config, specgen)

5
server/seccomp/seccomp_unsupported.go
View file

@ -4,6 +4,11 @@ package seccomp
import "github.com/opencontainers/runtime-tools/generate" import "github.com/opencontainers/runtime-tools/generate"
// IsEnabled returns false, when build without seccomp build tag.
func IsEnabled() bool {
return false
}
// LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec. // LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec.
func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error { func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error {
return nil return nil

38
server/server.go
View file

@ -6,7 +6,6 @@ import (
"io/ioutil" "io/ioutil"
"os" "os"
"sync" "sync"
"syscall"
"github.com/Sirupsen/logrus" "github.com/Sirupsen/logrus"
"github.com/containers/image/types" "github.com/containers/image/types"
@ -425,23 +424,6 @@ func (s *Server) releaseContainerName(name string) {
s.ctrNameIndex.Release(name) s.ctrNameIndex.Release(name)
} }
const (
// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
SeccompModeFilter = uintptr(2)
)
func seccompEnabled() bool {
var enabled bool
// Check if Seccomp is supported, via CONFIG_SECCOMP.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
enabled = true
}
}
return enabled
}
// Shutdown attempts to shut down the server's storage cleanly // Shutdown attempts to shut down the server's storage cleanly
func (s *Server) Shutdown() error { func (s *Server) Shutdown() error {
_, err := s.store.Shutdown(false) _, err := s.store.Shutdown(false)
@ -491,19 +473,21 @@ func New(config *Config) (*Server, error) {
sandboxes: sandboxes, sandboxes: sandboxes,
containers: containers, containers: containers,
}, },
seccompEnabled: seccompEnabled(), seccompEnabled: seccomp.IsEnabled(),
appArmorEnabled: apparmor.IsEnabled(), appArmorEnabled: apparmor.IsEnabled(),
appArmorProfile: config.ApparmorProfile, appArmorProfile: config.ApparmorProfile,
} }
seccompProfile, err := ioutil.ReadFile(config.SeccompProfile) if s.seccompEnabled {
if err != nil { seccompProfile, err := ioutil.ReadFile(config.SeccompProfile)
return nil, fmt.Errorf("opening seccomp profile (%s) failed: %v", config.SeccompProfile, err) if err != nil {
return nil, fmt.Errorf("opening seccomp profile (%s) failed: %v", config.SeccompProfile, err)
}
var seccompConfig seccomp.Seccomp
if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil {
return nil, fmt.Errorf("decoding seccomp profile failed: %v", err)
}
s.seccompProfile = seccompConfig
} }
var seccompConfig seccomp.Seccomp
if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil {
return nil, fmt.Errorf("decoding seccomp profile failed: %v", err)
}
s.seccompProfile = seccompConfig
if s.appArmorEnabled && s.appArmorProfile == apparmor.DefaultApparmorProfile { if s.appArmorEnabled && s.appArmorProfile == apparmor.DefaultApparmorProfile {
if err := apparmor.EnsureDefaultApparmorProfile(); err != nil { if err := apparmor.EnsureDefaultApparmorProfile(); err != nil {