Merge pull request #19245 from jfrazelle/seccomp-kernel-check

check seccomp is configured in the kernel
2022-11-09 12:21:53 -05:00 · 2016-01-12 11:33:27 -08:00 · 2016-01-12 11:33:27 -08:00 · 293b3767c8
commit 293b3767c8
parent 45211af702 40d5ced9d0
5 changed files with 27 additions and 1 deletions
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@ -238,6 +238,14 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro
 	}
 	uidMap, gidMap := daemon.GetUIDGIDMaps()

+	if !daemon.seccompEnabled {
+		if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
+			return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
+		}
+		logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
+		c.SeccompProfile = "unconfined"
+	}
+
 	defaultCgroupParent := "/docker"
 	if daemon.configStore.CgroupParent != "" {
 		defaultCgroupParent = daemon.configStore.CgroupParent
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@ -157,6 +157,7 @@ type Daemon struct {
 	volumes                   *store.VolumeStore
 	discoveryWatcher          discovery.Watcher
 	root                      string
+	seccompEnabled            bool
 	shutdown                  bool
 	uidMaps                   []idtools.IDMap
 	gidMaps                   []idtools.IDMap
@ -821,6 +822,7 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo
 	d.root = config.Root
 	d.uidMaps = uidMaps
 	d.gidMaps = gidMaps
+	d.seccompEnabled = sysInfo.Seccomp

 	d.nameIndex = registrar.NewRegistrar()
 	d.linkIndex = newLinkIndex()
--- a/integration-cli/requirements_unix.go
+++ b/integration-cli/requirements_unix.go
@ -77,7 +77,7 @@ var (
 	}
 	seccompEnabled = testRequirement{
 		func() bool {
-			return supportsSeccomp
+			return supportsSeccomp && SysInfo.Seccomp
 		},
 		"Test requires that seccomp support be enabled in the daemon.",
 	}
--- a/pkg/sysinfo/sysinfo.go
+++ b/pkg/sysinfo/sysinfo.go
@ -7,6 +7,8 @@ import "github.com/docker/docker/pkg/parsers"
 type SysInfo struct {
 	// Whether the kernel supports AppArmor or not
 	AppArmor bool
+	// Whether the kernel supports Seccomp or not
+	Seccomp bool

 	cgroupMemInfo
 	cgroupCPUInfo
--- a/pkg/sysinfo/sysinfo_linux.go
+++ b/pkg/sysinfo/sysinfo_linux.go
@ -5,11 +5,17 @@ import (
 	"os"
 	"path"
 	"strings"
+	"syscall"

 	"github.com/Sirupsen/logrus"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 )

+const (
+	// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
+	SeccompModeFilter = uintptr(2)
+)
+
 // New returns a new SysInfo, using the filesystem to detect which features
 // the kernel supports. If `quiet` is `false` warnings are printed in logs
 // whenever an error occurs or misconfigurations are present.
@ -32,6 +38,14 @@ func New(quiet bool) *SysInfo {
 		sysInfo.AppArmor = true
 	}

+	// Check if Seccomp is supported, via CONFIG_SECCOMP.
+	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
+		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+		if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
+			sysInfo.Seccomp = true
+		}
+	}
+
 	return sysInfo
 }