Browse code
Merge pull request #19245 from jfrazelle/seccomp-kernel-check
check seccomp is configured in the kernel
Jess Frazelle authored on 2016/01/13 04:33:27Showing 5 changed files
- daemon/container_operations_unix.go
- daemon/daemon.go
- integration-cli/requirements_unix.go
- pkg/sysinfo/sysinfo.go
- pkg/sysinfo/sysinfo_linux.go
| ... | ... |
@@ -238,6 +238,14 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro |
| 238 | 238 |
} |
| 239 | 239 |
uidMap, gidMap := daemon.GetUIDGIDMaps() |
| 240 | 240 |
|
| 241 |
+ if !daemon.seccompEnabled {
|
|
| 242 |
+ if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
|
|
| 243 |
+ return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
|
|
| 244 |
+ } |
|
| 245 |
+ logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
|
|
| 246 |
+ c.SeccompProfile = "unconfined" |
|
| 247 |
+ } |
|
| 248 |
+ |
|
| 241 | 249 |
defaultCgroupParent := "/docker" |
| 242 | 250 |
if daemon.configStore.CgroupParent != "" {
|
| 243 | 251 |
defaultCgroupParent = daemon.configStore.CgroupParent |
| ... | ... |
@@ -157,6 +157,7 @@ type Daemon struct {
|
| 157 | 157 |
volumes *store.VolumeStore |
| 158 | 158 |
discoveryWatcher discovery.Watcher |
| 159 | 159 |
root string |
| 160 |
+ seccompEnabled bool |
|
| 160 | 161 |
shutdown bool |
| 161 | 162 |
uidMaps []idtools.IDMap |
| 162 | 163 |
gidMaps []idtools.IDMap |
| ... | ... |
@@ -821,6 +822,7 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo |
| 821 | 821 |
d.root = config.Root |
| 822 | 822 |
d.uidMaps = uidMaps |
| 823 | 823 |
d.gidMaps = gidMaps |
| 824 |
+ d.seccompEnabled = sysInfo.Seccomp |
|
| 824 | 825 |
|
| 825 | 826 |
d.nameIndex = registrar.NewRegistrar() |
| 826 | 827 |
d.linkIndex = newLinkIndex() |
| ... | ... |
@@ -5,11 +5,17 @@ import ( |
| 5 | 5 |
"os" |
| 6 | 6 |
"path" |
| 7 | 7 |
"strings" |
| 8 |
+ "syscall" |
|
| 8 | 9 |
|
| 9 | 10 |
"github.com/Sirupsen/logrus" |
| 10 | 11 |
"github.com/opencontainers/runc/libcontainer/cgroups" |
| 11 | 12 |
) |
| 12 | 13 |
|
| 14 |
+const ( |
|
| 15 |
+ // SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER. |
|
| 16 |
+ SeccompModeFilter = uintptr(2) |
|
| 17 |
+) |
|
| 18 |
+ |
|
| 13 | 19 |
// New returns a new SysInfo, using the filesystem to detect which features |
| 14 | 20 |
// the kernel supports. If `quiet` is `false` warnings are printed in logs |
| 15 | 21 |
// whenever an error occurs or misconfigurations are present. |
| ... | ... |
@@ -32,6 +38,14 @@ func New(quiet bool) *SysInfo {
|
| 32 | 32 |
sysInfo.AppArmor = true |
| 33 | 33 |
} |
| 34 | 34 |
|
| 35 |
+ // Check if Seccomp is supported, via CONFIG_SECCOMP. |
|
| 36 |
+ if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
|
|
| 37 |
+ // Make sure the kernel has CONFIG_SECCOMP_FILTER. |
|
| 38 |
+ if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
|
|
| 39 |
+ sysInfo.Seccomp = true |
|
| 40 |
+ } |
|
| 41 |
+ } |
|
| 42 |
+ |
|
| 35 | 43 |
return sysInfo |
| 36 | 44 |
} |
| 37 | 45 |
|