@@ -108,8 +108,8 @@ RUN set -x \

 	&& UNATTENDED=yes OSX_VERSION_MIN=10.6 ${OSXCROSS_PATH}/build.sh

 ENV PATH /osxcross/target/bin:$PATH

-# Install seccomp: the version shipped in trusty is too old

-ENV SECCOMP_VERSION 2.3.1

+# Install seccomp: the version shipped upstream is too old

+ENV SECCOMP_VERSION 2.3.2

 RUN set -x \

 	&& export SECCOMP_PATH="$(mktemp -d)" \

 	&& curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_VERSION}/libseccomp-${SECCOMP_VERSION}.tar.gz" \

@@ -78,8 +78,8 @@ RUN cd /usr/local/lvm2 \

 	&& make install_device-mapper

 # See https://git.fedorahosted.org/cgit/lvm2.git/tree/INSTALL

-# Install seccomp: the version shipped in trusty is too old

-ENV SECCOMP_VERSION 2.3.1

+# Install seccomp: the version shipped upstream is too old

+ENV SECCOMP_VERSION 2.3.2

 RUN set -x \

 	&& export SECCOMP_PATH="$(mktemp -d)" \

 	&& curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_VERSION}/libseccomp-${SECCOMP_VERSION}.tar.gz" \

@@ -92,8 +92,8 @@ RUN git clone https://github.com/golang/lint.git /go/src/github.com/golang/lint

 	&& (cd /go/src/github.com/golang/lint && git checkout -q $GO_LINT_COMMIT) \

 	&& go install -v github.com/golang/lint/golint

-# Install seccomp: the version shipped in trusty is too old

-ENV SECCOMP_VERSION 2.3.1

+# Install seccomp: the version shipped upstream is too old

+ENV SECCOMP_VERSION 2.3.2

 RUN set -x \

 	&& export SECCOMP_PATH="$(mktemp -d)" \

 	&& curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_VERSION}/libseccomp-${SECCOMP_VERSION}.tar.gz" \

@@ -77,8 +77,8 @@ RUN cd /usr/local/lvm2 \

 	&& make install_device-mapper

 # See https://git.fedorahosted.org/cgit/lvm2.git/tree/INSTALL

-# Install seccomp: the version shipped in jessie is too old

-ENV SECCOMP_VERSION 2.3.1

+# Install seccomp: the version shipped upstream is too old

+ENV SECCOMP_VERSION 2.3.2

 RUN set -x \

         && export SECCOMP_PATH="$(mktemp -d)" \

         && curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_VERSION}/libseccomp-${SECCOMP_VERSION}.tar.gz" \

@@ -50,8 +50,8 @@ RUN apt-get update && apt-get install -y \

 	vim-common \

 	--no-install-recommends

-# Install seccomp: the version shipped in jessie is too old

-ENV SECCOMP_VERSION 2.3.1

+# Install seccomp: the version shipped upstream is too old

+ENV SECCOMP_VERSION 2.3.2

 RUN set -x \

 	&& export SECCOMP_PATH="$(mktemp -d)" \

 	&& curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_VERSION}/libseccomp-${SECCOMP_VERSION}.tar.gz" \

@@ -34,8 +34,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \

 		vim-common \

 	&& rm -rf /var/lib/apt/lists/*

-# Install seccomp: the version shipped in trusty is too old

-ENV SECCOMP_VERSION 2.3.1

+# Install seccomp: the version shipped upstream is too old

+ENV SECCOMP_VERSION 2.3.2

 RUN set -x \

 	&& export SECCOMP_PATH="$(mktemp -d)" \

 	&& curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_VERSION}/libseccomp-${SECCOMP_VERSION}.tar.gz" \

@@ -223,10 +223,12 @@

 				"prctl",

 				"pread64",

 				"preadv",

+				"preadv2",

 				"prlimit64",

 				"pselect6",

 				"pwrite64",

 				"pwritev",

+				"pwritev2",

 				"read",

 				"readahead",

 				"readlink",

@@ -217,10 +217,12 @@ func DefaultProfile() *types.Seccomp {

 				"prctl",

 				"pread64",

 				"preadv",

+				"preadv2",

 				"prlimit64",

 				"pselect6",

 				"pwrite64",

 				"pwritev",

+				"pwritev2",

 				"read",

 				"readahead",

 				"readlink",

@@ -63,7 +63,7 @@ github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c

 # When updating, also update RUNC_COMMIT in hack/dockerfile/binaries-commits accordingly

 github.com/opencontainers/runc a01dafd48bc1c7cc12bdb01206f9fea7dd6feb70 https://github.com/docker/runc.git # libcontainer

 github.com/opencontainers/runtime-spec 1c7c27d043c2a5e513a44084d2b10d77d1402b8c # specs

-github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0

+github.com/seccomp/libseccomp-golang v0.9.0

 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)

 github.com/coreos/go-systemd v4

 github.com/godbus/dbus v4.0.0

@@ -27,6 +27,28 @@ import "C"

 // Exported types

+// VersionError denotes that the system libseccomp version is incompatible

+// with this package.

+type VersionError struct {

+	message string

+	minimum string

+}

+

+func (e VersionError) Error() string {

+	format := "Libseccomp version too low: "

+	if e.message != "" {

+		format += e.message + ": "

+	}

+	format += "minimum supported is "

+	if e.minimum != "" {

+		format += e.minimum + ": "

+	} else {

+		format += "2.1.0: "

+	}

+	format += "detected %d.%d.%d"

+	return fmt.Sprintf(format, verMajor, verMinor, verMicro)

+}

+

 // ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a

 // per-architecture basis.

 type ScmpArch uint

@@ -151,6 +173,10 @@ const (

 // GetArchFromString returns an ScmpArch constant from a string representing an

 // architecture

 func GetArchFromString(arch string) (ScmpArch, error) {

+	if err := ensureSupportedVersion(); err != nil {

+		return ArchInvalid, err

+	}

+

 	switch strings.ToLower(arch) {

 	case "x86":

 		return ArchX86, nil

@@ -338,6 +364,10 @@ func (s ScmpSyscall) GetNameByArch(arch ScmpArch) (string, error) {

 // Returns the number of the syscall, or an error if no syscall with that name

 // was found.

 func GetSyscallFromName(name string) (ScmpSyscall, error) {

+	if err := ensureSupportedVersion(); err != nil {

+		return 0, err

+	}

+

 	cString := C.CString(name)

 	defer C.free(unsafe.Pointer(cString))

@@ -355,6 +385,9 @@ func GetSyscallFromName(name string) (ScmpSyscall, error) {

 // Returns the number of the syscall, or an error if an invalid architecture is

 // passed or a syscall with that name was not found.

 func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) {

+	if err := ensureSupportedVersion(); err != nil {

+		return 0, err

+	}

 	if err := sanitizeArch(arch); err != nil {

 		return 0, err

 	}

@@ -386,6 +419,10 @@ func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) {

 func MakeCondition(arg uint, comparison ScmpCompareOp, values ...uint64) (ScmpCondition, error) {

 	var condStruct ScmpCondition

+	if err := ensureSupportedVersion(); err != nil {

+		return condStruct, err

+	}

+

 	if comparison == CompareInvalid {

 		return condStruct, fmt.Errorf("invalid comparison operator")

 	} else if arg > 5 {

@@ -413,6 +450,10 @@ func MakeCondition(arg uint, comparison ScmpCompareOp, values ...uint64) (ScmpCo

 // GetNativeArch returns architecture token representing the native kernel

 // architecture

 func GetNativeArch() (ScmpArch, error) {

+	if err := ensureSupportedVersion(); err != nil {

+		return ArchInvalid, err

+	}

+

 	arch := C.seccomp_arch_native()

 	return archFromNative(arch)

@@ -435,6 +476,10 @@ type ScmpFilter struct {

 // Returns a reference to a valid filter context, or nil and an error if the

 // filter context could not be created or an invalid default action was given.

 func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) {

+	if err := ensureSupportedVersion(); err != nil {

+		return nil, err

+	}

+

 	if err := sanitizeAction(defaultAction); err != nil {

 		return nil, err

 	}

@@ -7,7 +7,6 @@ package seccomp

 import (

 	"fmt"

-	"os"

 	"syscall"

 )

@@ -192,12 +191,12 @@ func checkVersionAbove(major, minor, micro int) bool {

 		(verMajor == major && verMinor == minor && verMicro >= micro)

 }

-// Init function: Verify library version is appropriate

-func init() {

+// Ensure that the library is supported, i.e. >= 2.1.0.

+func ensureSupportedVersion() error {

 	if !checkVersionAbove(2, 1, 0) {

-		fmt.Fprintf(os.Stderr, "Libseccomp version too low: minimum supported is 2.1.0, detected %d.%d.%d", C.C_VERSION_MAJOR, C.C_VERSION_MINOR, C.C_VERSION_MICRO)

-		os.Exit(-1)

+		return VersionError{}

 	}

+	return nil

 }

 // Filter helpers

@@ -217,7 +216,10 @@ func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) {

 	}

 	if !checkVersionAbove(2, 2, 0) && attr == filterAttrTsync {

-		return 0x0, fmt.Errorf("the thread synchronization attribute is not supported in this version of the library")

+		return 0x0, VersionError{

+			message: "thread synchronization attribute is not supported",

+			minimum: "2.2.0",

+		}

 	}

 	var attribute C.uint32_t

@@ -240,7 +242,10 @@ func (f *ScmpFilter) setFilterAttr(attr scmpFilterAttr, value C.uint32_t) error

 	}

 	if !checkVersionAbove(2, 2, 0) && attr == filterAttrTsync {

-		return fmt.Errorf("the thread synchronization attribute is not supported in this version of the library")

+		return VersionError{

+			message: "thread synchronization attribute is not supported",

+			minimum: "2.2.0",

+		}

 	}

 	retCode := C.seccomp_attr_set(f.filterCtx, attr.toNative(), value)

@@ -296,7 +301,10 @@ func (f *ScmpFilter) addRuleGeneric(call ScmpSyscall, action ScmpAction, exact b

 	} else {

 		// We don't support conditional filtering in library version v2.1

 		if !checkVersionAbove(2, 2, 1) {

-			return fmt.Errorf("conditional filtering requires libseccomp version >= 2.2.1")

+			return VersionError{

+				message: "conditional filtering is not supported",

+				minimum: "2.2.1",

+			}

 		}

 		for _, cond := range conds {