Merge pull request #19245 from jfrazelle/seccomp-kernel-check
check seccomp is configured in the kernel
This commit is contained in:
		
						commit
						cb3454b895
					
				
					 2 changed files with 16 additions and 0 deletions
				
			
		|  | @ -7,6 +7,8 @@ import "github.com/docker/docker/pkg/parsers" | |||
| type SysInfo struct { | ||||
| 	// Whether the kernel supports AppArmor or not | ||||
| 	AppArmor bool | ||||
| 	// Whether the kernel supports Seccomp or not | ||||
| 	Seccomp bool | ||||
| 
 | ||||
| 	cgroupMemInfo | ||||
| 	cgroupCPUInfo | ||||
|  |  | |||
|  | @ -5,11 +5,17 @@ import ( | |||
| 	"os" | ||||
| 	"path" | ||||
| 	"strings" | ||||
| 	"syscall" | ||||
| 
 | ||||
| 	"github.com/Sirupsen/logrus" | ||||
| 	"github.com/opencontainers/runc/libcontainer/cgroups" | ||||
| ) | ||||
| 
 | ||||
| const ( | ||||
| 	// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER. | ||||
| 	SeccompModeFilter = uintptr(2) | ||||
| ) | ||||
| 
 | ||||
| // New returns a new SysInfo, using the filesystem to detect which features | ||||
| // the kernel supports. If `quiet` is `false` warnings are printed in logs | ||||
| // whenever an error occurs or misconfigurations are present. | ||||
|  | @ -32,6 +38,14 @@ func New(quiet bool) *SysInfo { | |||
| 		sysInfo.AppArmor = true | ||||
| 	} | ||||
| 
 | ||||
| 	// Check if Seccomp is supported, via CONFIG_SECCOMP. | ||||
| 	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL { | ||||
| 		// Make sure the kernel has CONFIG_SECCOMP_FILTER. | ||||
| 		if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL { | ||||
| 			sysInfo.Seccomp = true | ||||
| 		} | ||||
| 	} | ||||
| 
 | ||||
| 	return sysInfo | ||||
| } | ||||
| 
 | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue