Merge pull request #368 from apilloud/no_seccomp

Run without seccomp
2017-02-22 12:01:17 -08:00 · 2017-02-22 12:01:17 -08:00 · 860c5419fd
commit 860c5419fd
parent 424fc8d0d6 4ce17f893a
4 changed files with 37 additions and 27 deletions
--- a/server/sandbox_run.go
+++ b/server/sandbox_run.go
@ -326,6 +326,10 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 		}
 	}

+	if !s.seccompEnabled {
+		g.Spec().Linux.Seccomp = nil
+	}
+
 	saveOptions := generate.ExportOptions{}
 	mountPoint, err := s.storage.StartContainer(id)
 	if err != nil {
--- a/server/seccomp/seccomp.go
+++ b/server/seccomp/seccomp.go
@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"syscall"

 	"github.com/docker/docker/pkg/stringutils"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
@ -13,6 +14,22 @@ import (
 	libseccomp "github.com/seccomp/libseccomp-golang"
 )

+// IsEnabled returns true if seccomp is enabled for the host.
+func IsEnabled() bool {
+	// seccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
+	const seccompModeFilter = uintptr(2)
+
+	enabled := false
+	// Check if Seccomp is supported, via CONFIG_SECCOMP.
+	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
+		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+		if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, seccompModeFilter, 0); err != syscall.EINVAL {
+			enabled = true
+		}
+	}
+	return enabled
+}
+
 // LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec.
 func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error {
 	return setupSeccomp(&config, specgen)
--- a/server/seccomp/seccomp_unsupported.go
+++ b/server/seccomp/seccomp_unsupported.go
@ -4,6 +4,11 @@ package seccomp

 import "github.com/opencontainers/runtime-tools/generate"

+// IsEnabled returns false, when build without seccomp build tag.
+func IsEnabled() bool {
+	return false
+}
+
 // LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec.
 func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error {
 	return nil
--- a/server/server.go
+++ b/server/server.go
@ -6,7 +6,6 @@ import (
 	"io/ioutil"
 	"os"
 	"sync"
-	"syscall"

 	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/types"
@ -425,23 +424,6 @@ func (s *Server) releaseContainerName(name string) {
 	s.ctrNameIndex.Release(name)
 }

-const (
-	// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
-	SeccompModeFilter = uintptr(2)
-)
-
-func seccompEnabled() bool {
-	var enabled bool
-	// Check if Seccomp is supported, via CONFIG_SECCOMP.
-	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
-		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
-		if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
-			enabled = true
-		}
-	}
-	return enabled
-}
-
 // Shutdown attempts to shut down the server's storage cleanly
 func (s *Server) Shutdown() error {
 	_, err := s.store.Shutdown(false)
@ -491,10 +473,11 @@ func New(config *Config) (*Server, error) {
 			sandboxes:  sandboxes,
 			containers: containers,
 		},
-		seccompEnabled:  seccompEnabled(),
+		seccompEnabled:  seccomp.IsEnabled(),
 		appArmorEnabled: apparmor.IsEnabled(),
 		appArmorProfile: config.ApparmorProfile,
 	}
+	if s.seccompEnabled {
 		seccompProfile, err := ioutil.ReadFile(config.SeccompProfile)
 		if err != nil {
 			return nil, fmt.Errorf("opening seccomp profile (%s) failed: %v", config.SeccompProfile, err)
@ -504,6 +487,7 @@ func New(config *Config) (*Server, error) {
 			return nil, fmt.Errorf("decoding seccomp profile failed: %v", err)
 		}
 		s.seccompProfile = seccompConfig
+	}

 	if s.appArmorEnabled && s.appArmorProfile == apparmor.DefaultApparmorProfile {
 		if err := apparmor.EnsureDefaultApparmorProfile(); err != nil {