From 37926ea8f2c97335b8f5703540a1155727dd8746 Mon Sep 17 00:00:00 2001 From: Jessica Frazelle Date: Mon, 11 Jan 2016 11:44:34 -0800 Subject: [PATCH] check seccomp is configured in the kernel Signed-off-by: Jessica Frazelle --- sysinfo/sysinfo.go | 2 ++ sysinfo/sysinfo_linux.go | 14 ++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/sysinfo/sysinfo.go b/sysinfo/sysinfo.go index 8ec1ceb..285b3ba 100644 --- a/sysinfo/sysinfo.go +++ b/sysinfo/sysinfo.go @@ -7,6 +7,8 @@ import "github.com/docker/docker/pkg/parsers" type SysInfo struct { // Whether the kernel supports AppArmor or not AppArmor bool + // Whether the kernel supports Seccomp or not + Seccomp bool cgroupMemInfo cgroupCPUInfo diff --git a/sysinfo/sysinfo_linux.go b/sysinfo/sysinfo_linux.go index ef3410c..59d5379 100644 --- a/sysinfo/sysinfo_linux.go +++ b/sysinfo/sysinfo_linux.go @@ -5,11 +5,17 @@ import ( "os" "path" "strings" + "syscall" "github.com/Sirupsen/logrus" "github.com/opencontainers/runc/libcontainer/cgroups" ) +const ( + // SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER. + SeccompModeFilter = uintptr(2) +) + // New returns a new SysInfo, using the filesystem to detect which features // the kernel supports. If `quiet` is `false` warnings are printed in logs // whenever an error occurs or misconfigurations are present. @@ -32,6 +38,14 @@ func New(quiet bool) *SysInfo { sysInfo.AppArmor = true } + // Check if Seccomp is supported, via CONFIG_SECCOMP. + if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL { + // Make sure the kernel has CONFIG_SECCOMP_FILTER. + if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL { + sysInfo.Seccomp = true + } + } + return sysInfo }