Use containerd/pkg/seccomp.IsEnabled()
This replaces the local SeccompSupported() utility for the implementation in containerd, which performs the same check. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>master
parent
89ebbe5d34
commit
d782dd8d78
|
@ -7,11 +7,11 @@ import (
|
|||
|
||||
"github.com/containerd/containerd/containers"
|
||||
"github.com/containerd/containerd/oci"
|
||||
cdseccomp "github.com/containerd/containerd/pkg/seccomp"
|
||||
"github.com/docker/docker/pkg/idtools"
|
||||
"github.com/docker/docker/profiles/seccomp"
|
||||
"github.com/moby/buildkit/solver/pb"
|
||||
"github.com/moby/buildkit/util/entitlements/security"
|
||||
"github.com/moby/buildkit/util/system"
|
||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
)
|
||||
|
@ -41,7 +41,7 @@ func generateSecurityOpts(mode pb.SecurityMode, apparmorProfile string) (opts []
|
|||
},
|
||||
}, nil
|
||||
case pb.SecurityMode_SANDBOX:
|
||||
if system.SeccompSupported() {
|
||||
if cdseccomp.IsEnabled() {
|
||||
opts = append(opts, withDefaultProfile())
|
||||
}
|
||||
if apparmorProfile != "" {
|
||||
|
|
|
@ -1,29 +0,0 @@
|
|||
// +build linux,seccomp
|
||||
|
||||
package system
|
||||
|
||||
import (
|
||||
"sync"
|
||||
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
var seccompSupported bool
|
||||
var seccompOnce sync.Once
|
||||
|
||||
func SeccompSupported() bool {
|
||||
seccompOnce.Do(func() {
|
||||
seccompSupported = getSeccompSupported()
|
||||
})
|
||||
return seccompSupported
|
||||
}
|
||||
|
||||
func getSeccompSupported() bool {
|
||||
if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
|
||||
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
|
||||
if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
// +build !linux,seccomp
|
||||
|
||||
package system
|
||||
|
||||
func SeccompSupported() bool {
|
||||
return false
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
// +build !seccomp
|
||||
|
||||
package system
|
||||
|
||||
func SeccompSupported() bool {
|
||||
return false
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
/*
|
||||
Copyright The containerd Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package seccomp
|
||||
|
||||
// IsEnabled checks whether seccomp support is enabled. On Linux, it returns
|
||||
// true if the kernel has been configured to support seccomp (kernel options
|
||||
// CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are set). On non-Linux, it always
|
||||
// returns false.
|
||||
func IsEnabled() bool {
|
||||
return isEnabled()
|
||||
}
|
80
vendor/github.com/containerd/containerd/pkg/seccomp/seccomp_linux.go
generated
vendored
Normal file
80
vendor/github.com/containerd/containerd/pkg/seccomp/seccomp_linux.go
generated
vendored
Normal file
|
@ -0,0 +1,80 @@
|
|||
/*
|
||||
Copyright The containerd Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
/*
|
||||
Copyright The runc Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package seccomp
|
||||
|
||||
import (
|
||||
"sync"
|
||||
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
var (
|
||||
enabled bool
|
||||
enabledOnce sync.Once
|
||||
)
|
||||
|
||||
// isEnabled returns whether the kernel has been configured to support seccomp
|
||||
// (including the check for CONFIG_SECCOMP_FILTER kernel option).
|
||||
func isEnabled() bool {
|
||||
// Excerpts from prctl(2), section ERRORS:
|
||||
//
|
||||
// EACCES
|
||||
// option is PR_SET_SECCOMP and arg2 is SECCOMP_MODE_FILTER, but
|
||||
// the process does not have the CAP_SYS_ADMIN capability or has
|
||||
// not set the no_new_privs attribute <...>.
|
||||
// <...>
|
||||
// EFAULT
|
||||
// option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER, the
|
||||
// system was built with CONFIG_SECCOMP_FILTER, and arg3 is an
|
||||
// invalid address.
|
||||
// <...>
|
||||
// EINVAL
|
||||
// option is PR_SET_SECCOMP or PR_GET_SECCOMP, and the kernel
|
||||
// was not configured with CONFIG_SECCOMP.
|
||||
//
|
||||
// EINVAL
|
||||
// option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER,
|
||||
// and the kernel was not configured with CONFIG_SECCOMP_FILTER.
|
||||
// <end of quote>
|
||||
//
|
||||
// Meaning, in case these kernel options are set (this is what we check
|
||||
// for here), we will get some other error (most probably EACCES or
|
||||
// EFAULT). IOW, EINVAL means "seccomp not supported", any other error
|
||||
// means it is supported.
|
||||
|
||||
enabledOnce.Do(func() {
|
||||
enabled = unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0) != unix.EINVAL
|
||||
})
|
||||
|
||||
return enabled
|
||||
}
|
23
vendor/github.com/containerd/containerd/pkg/seccomp/seccomp_unsupported.go
generated
vendored
Normal file
23
vendor/github.com/containerd/containerd/pkg/seccomp/seccomp_unsupported.go
generated
vendored
Normal file
|
@ -0,0 +1,23 @@
|
|||
// +build !linux
|
||||
|
||||
/*
|
||||
Copyright The containerd Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package seccomp
|
||||
|
||||
func isEnabled() bool {
|
||||
return false
|
||||
}
|
|
@ -105,6 +105,7 @@ github.com/containerd/containerd/namespaces
|
|||
github.com/containerd/containerd/oci
|
||||
github.com/containerd/containerd/pkg/cap
|
||||
github.com/containerd/containerd/pkg/dialer
|
||||
github.com/containerd/containerd/pkg/seccomp
|
||||
github.com/containerd/containerd/pkg/seed
|
||||
github.com/containerd/containerd/pkg/userns
|
||||
github.com/containerd/containerd/platforms
|
||||
|
|
Loading…
Reference in New Issue