check seccomp is configured in the kernel
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
This commit is contained in:
parent
7967aed912
commit
37926ea8f2
2 changed files with 16 additions and 0 deletions
|
@ -7,6 +7,8 @@ import "github.com/docker/docker/pkg/parsers"
|
|||
type SysInfo struct {
|
||||
// Whether the kernel supports AppArmor or not
|
||||
AppArmor bool
|
||||
// Whether the kernel supports Seccomp or not
|
||||
Seccomp bool
|
||||
|
||||
cgroupMemInfo
|
||||
cgroupCPUInfo
|
||||
|
|
|
@ -5,11 +5,17 @@ import (
|
|||
"os"
|
||||
"path"
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
"github.com/Sirupsen/logrus"
|
||||
"github.com/opencontainers/runc/libcontainer/cgroups"
|
||||
)
|
||||
|
||||
const (
|
||||
// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
|
||||
SeccompModeFilter = uintptr(2)
|
||||
)
|
||||
|
||||
// New returns a new SysInfo, using the filesystem to detect which features
|
||||
// the kernel supports. If `quiet` is `false` warnings are printed in logs
|
||||
// whenever an error occurs or misconfigurations are present.
|
||||
|
@ -32,6 +38,14 @@ func New(quiet bool) *SysInfo {
|
|||
sysInfo.AppArmor = true
|
||||
}
|
||||
|
||||
// Check if Seccomp is supported, via CONFIG_SECCOMP.
|
||||
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
|
||||
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
|
||||
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
|
||||
sysInfo.Seccomp = true
|
||||
}
|
||||
}
|
||||
|
||||
return sysInfo
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue