commit
860c5419fd
4 changed files with 37 additions and 27 deletions
|
@ -326,6 +326,10 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
}
|
||||
}
|
||||
|
||||
if !s.seccompEnabled {
|
||||
g.Spec().Linux.Seccomp = nil
|
||||
}
|
||||
|
||||
saveOptions := generate.ExportOptions{}
|
||||
mountPoint, err := s.storage.StartContainer(id)
|
||||
if err != nil {
|
||||
|
|
|
@ -6,6 +6,7 @@ import (
|
|||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"syscall"
|
||||
|
||||
"github.com/docker/docker/pkg/stringutils"
|
||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
|
@ -13,6 +14,22 @@ import (
|
|||
libseccomp "github.com/seccomp/libseccomp-golang"
|
||||
)
|
||||
|
||||
// IsEnabled returns true if seccomp is enabled for the host.
|
||||
func IsEnabled() bool {
|
||||
// seccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
|
||||
const seccompModeFilter = uintptr(2)
|
||||
|
||||
enabled := false
|
||||
// Check if Seccomp is supported, via CONFIG_SECCOMP.
|
||||
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
|
||||
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
|
||||
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, seccompModeFilter, 0); err != syscall.EINVAL {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
return enabled
|
||||
}
|
||||
|
||||
// LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec.
|
||||
func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error {
|
||||
return setupSeccomp(&config, specgen)
|
||||
|
|
|
@ -4,6 +4,11 @@ package seccomp
|
|||
|
||||
import "github.com/opencontainers/runtime-tools/generate"
|
||||
|
||||
// IsEnabled returns false, when build without seccomp build tag.
|
||||
func IsEnabled() bool {
|
||||
return false
|
||||
}
|
||||
|
||||
// LoadProfileFromStruct takes a Seccomp struct and setup seccomp in the spec.
|
||||
func LoadProfileFromStruct(config Seccomp, specgen *generate.Generator) error {
|
||||
return nil
|
||||
|
|
|
@ -6,7 +6,6 @@ import (
|
|||
"io/ioutil"
|
||||
"os"
|
||||
"sync"
|
||||
"syscall"
|
||||
|
||||
"github.com/Sirupsen/logrus"
|
||||
"github.com/containers/image/types"
|
||||
|
@ -425,23 +424,6 @@ func (s *Server) releaseContainerName(name string) {
|
|||
s.ctrNameIndex.Release(name)
|
||||
}
|
||||
|
||||
const (
|
||||
// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
|
||||
SeccompModeFilter = uintptr(2)
|
||||
)
|
||||
|
||||
func seccompEnabled() bool {
|
||||
var enabled bool
|
||||
// Check if Seccomp is supported, via CONFIG_SECCOMP.
|
||||
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
|
||||
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
|
||||
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
return enabled
|
||||
}
|
||||
|
||||
// Shutdown attempts to shut down the server's storage cleanly
|
||||
func (s *Server) Shutdown() error {
|
||||
_, err := s.store.Shutdown(false)
|
||||
|
@ -491,19 +473,21 @@ func New(config *Config) (*Server, error) {
|
|||
sandboxes: sandboxes,
|
||||
containers: containers,
|
||||
},
|
||||
seccompEnabled: seccompEnabled(),
|
||||
seccompEnabled: seccomp.IsEnabled(),
|
||||
appArmorEnabled: apparmor.IsEnabled(),
|
||||
appArmorProfile: config.ApparmorProfile,
|
||||
}
|
||||
seccompProfile, err := ioutil.ReadFile(config.SeccompProfile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("opening seccomp profile (%s) failed: %v", config.SeccompProfile, err)
|
||||
if s.seccompEnabled {
|
||||
seccompProfile, err := ioutil.ReadFile(config.SeccompProfile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("opening seccomp profile (%s) failed: %v", config.SeccompProfile, err)
|
||||
}
|
||||
var seccompConfig seccomp.Seccomp
|
||||
if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil {
|
||||
return nil, fmt.Errorf("decoding seccomp profile failed: %v", err)
|
||||
}
|
||||
s.seccompProfile = seccompConfig
|
||||
}
|
||||
var seccompConfig seccomp.Seccomp
|
||||
if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil {
|
||||
return nil, fmt.Errorf("decoding seccomp profile failed: %v", err)
|
||||
}
|
||||
s.seccompProfile = seccompConfig
|
||||
|
||||
if s.appArmorEnabled && s.appArmorProfile == apparmor.DefaultApparmorProfile {
|
||||
if err := apparmor.EnsureDefaultApparmorProfile(); err != nil {
|
||||
|
|
Loading…
Reference in a new issue