From d782dd8d78b8a5238df3f9840fa3f6fd19aeb0aa Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Fri, 27 Aug 2021 15:07:54 +0200
Subject: [PATCH] Use containerd/pkg/seccomp.IsEnabled()

This replaces the local SeccompSupported() utility for the implementation
in containerd, which performs the same check.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 executor/oci/spec_unix.go                     |  4 +-
 util/system/seccomp_linux.go                  | 29 -------
 util/system/seccomp_nolinux.go                |  7 --
 util/system/seccomp_noseccomp.go              |  7 --
 .../containerd/pkg/seccomp/seccomp.go         | 25 ++++++
 .../containerd/pkg/seccomp/seccomp_linux.go   | 80 +++++++++++++++++++
 .../pkg/seccomp/seccomp_unsupported.go        | 23 ++++++
 vendor/modules.txt                            |  1 +
 8 files changed, 131 insertions(+), 45 deletions(-)
 delete mode 100644 util/system/seccomp_linux.go
 delete mode 100644 util/system/seccomp_nolinux.go
 delete mode 100644 util/system/seccomp_noseccomp.go
 create mode 100644 vendor/github.com/containerd/containerd/pkg/seccomp/seccomp.go
 create mode 100644 vendor/github.com/containerd/containerd/pkg/seccomp/seccomp_linux.go
 create mode 100644 vendor/github.com/containerd/containerd/pkg/seccomp/seccomp_unsupported.go

diff --git a/executor/oci/spec_unix.go b/executor/oci/spec_unix.go
index 65f2ca6b..40ef8ed8 100644
--- a/executor/oci/spec_unix.go
+++ b/executor/oci/spec_unix.go
@@ -7,11 +7,11 @@ import (
 
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/oci"
+	cdseccomp "github.com/containerd/containerd/pkg/seccomp"
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/profiles/seccomp"
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/util/entitlements/security"
-	"github.com/moby/buildkit/util/system"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux/label"
 )
@@ -41,7 +41,7 @@ func generateSecurityOpts(mode pb.SecurityMode, apparmorProfile string) (opts []
 			},
 		}, nil
 	case pb.SecurityMode_SANDBOX:
-		if system.SeccompSupported() {
+		if cdseccomp.IsEnabled() {
 			opts = append(opts, withDefaultProfile())
 		}
 		if apparmorProfile != "" {
diff --git a/util/system/seccomp_linux.go b/util/system/seccomp_linux.go
deleted file mode 100644
index 62afa03f..00000000
--- a/util/system/seccomp_linux.go
+++ /dev/null
@@ -1,29 +0,0 @@
-// +build linux,seccomp
-
-package system
-
-import (
-	"sync"
-
-	"golang.org/x/sys/unix"
-)
-
-var seccompSupported bool
-var seccompOnce sync.Once
-
-func SeccompSupported() bool {
-	seccompOnce.Do(func() {
-		seccompSupported = getSeccompSupported()
-	})
-	return seccompSupported
-}
-
-func getSeccompSupported() bool {
-	if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
-		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
-		if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
-			return true
-		}
-	}
-	return false
-}
diff --git a/util/system/seccomp_nolinux.go b/util/system/seccomp_nolinux.go
deleted file mode 100644
index e348c379..00000000
--- a/util/system/seccomp_nolinux.go
+++ /dev/null
@@ -1,7 +0,0 @@
-// +build !linux,seccomp
-
-package system
-
-func SeccompSupported() bool {
-	return false
-}
diff --git a/util/system/seccomp_noseccomp.go b/util/system/seccomp_noseccomp.go
deleted file mode 100644
index 84cfb7fa..00000000
--- a/util/system/seccomp_noseccomp.go
+++ /dev/null
@@ -1,7 +0,0 @@
-// +build !seccomp
-
-package system
-
-func SeccompSupported() bool {
-	return false
-}
diff --git a/vendor/github.com/containerd/containerd/pkg/seccomp/seccomp.go b/vendor/github.com/containerd/containerd/pkg/seccomp/seccomp.go
new file mode 100644
index 00000000..74982358
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/pkg/seccomp/seccomp.go
@@ -0,0 +1,25 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package seccomp
+
+// IsEnabled checks whether seccomp support is enabled. On Linux, it returns
+// true if the kernel has been configured to support seccomp (kernel options
+// CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are set). On non-Linux, it always
+// returns false.
+func IsEnabled() bool {
+	return isEnabled()
+}
diff --git a/vendor/github.com/containerd/containerd/pkg/seccomp/seccomp_linux.go b/vendor/github.com/containerd/containerd/pkg/seccomp/seccomp_linux.go
new file mode 100644
index 00000000..a23b492c
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/pkg/seccomp/seccomp_linux.go
@@ -0,0 +1,80 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+/*
+   Copyright The runc Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package seccomp
+
+import (
+	"sync"
+
+	"golang.org/x/sys/unix"
+)
+
+var (
+	enabled     bool
+	enabledOnce sync.Once
+)
+
+// isEnabled returns whether the kernel has been configured to support seccomp
+// (including the check for CONFIG_SECCOMP_FILTER kernel option).
+func isEnabled() bool {
+	// Excerpts from prctl(2), section ERRORS:
+	//
+	// EACCES
+	//      option is PR_SET_SECCOMP and arg2 is SECCOMP_MODE_FILTER, but
+	//      the process does not have the CAP_SYS_ADMIN capability or has
+	//      not set the no_new_privs attribute <...>.
+	// <...>
+	// EFAULT
+	//      option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER, the
+	//      system was built with CONFIG_SECCOMP_FILTER, and arg3 is an
+	//      invalid address.
+	// <...>
+	// EINVAL
+	//      option is PR_SET_SECCOMP or PR_GET_SECCOMP, and the kernel
+	//      was not configured with CONFIG_SECCOMP.
+	//
+	// EINVAL
+	//      option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER,
+	//      and the kernel was not configured with CONFIG_SECCOMP_FILTER.
+	// <end of quote>
+	//
+	// Meaning, in case these kernel options are set (this is what we check
+	// for here), we will get some other error (most probably EACCES or
+	// EFAULT). IOW, EINVAL means "seccomp not supported", any other error
+	// means it is supported.
+
+	enabledOnce.Do(func() {
+		enabled = unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0) != unix.EINVAL
+	})
+
+	return enabled
+}
diff --git a/vendor/github.com/containerd/containerd/pkg/seccomp/seccomp_unsupported.go b/vendor/github.com/containerd/containerd/pkg/seccomp/seccomp_unsupported.go
new file mode 100644
index 00000000..87b13342
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/pkg/seccomp/seccomp_unsupported.go
@@ -0,0 +1,23 @@
+// +build !linux
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package seccomp
+
+func isEnabled() bool {
+	return false
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index b80e4e2d..51a55af4 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -105,6 +105,7 @@ github.com/containerd/containerd/namespaces
 github.com/containerd/containerd/oci
 github.com/containerd/containerd/pkg/cap
 github.com/containerd/containerd/pkg/dialer
+github.com/containerd/containerd/pkg/seccomp
 github.com/containerd/containerd/pkg/seed
 github.com/containerd/containerd/pkg/userns
 github.com/containerd/containerd/platforms