Merge pull request #19245 from jfrazelle/seccomp-kernel-check

check seccomp is configured in the kernel

daemon/container_operations_unix.go

@@ -238,6 +238,14 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro
 	}
 	uidMap, gidMap := daemon.GetUIDGIDMaps()
 
+	if !daemon.seccompEnabled {
+		if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
+			return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
+		}
+		logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
+		c.SeccompProfile = "unconfined"
+	}
+
 	defaultCgroupParent := "/docker"
 	if daemon.configStore.CgroupParent != "" {
 		defaultCgroupParent = daemon.configStore.CgroupParent

daemon/daemon.go

@@ -157,6 +157,7 @@ type Daemon struct {
 	volumes                   *store.VolumeStore
 	discoveryWatcher          discovery.Watcher
 	root                      string
+	seccompEnabled            bool
 	shutdown                  bool
 	uidMaps                   []idtools.IDMap
 	gidMaps                   []idtools.IDMap
@@ -821,6 +822,7 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo
 	d.root = config.Root
 	d.uidMaps = uidMaps
 	d.gidMaps = gidMaps
+	d.seccompEnabled = sysInfo.Seccomp
 
 	d.nameIndex = registrar.NewRegistrar()
 	d.linkIndex = newLinkIndex()

integration-cli/requirements_unix.go

@@ -77,7 +77,7 @@ var (
 	}
 	seccompEnabled = testRequirement{
 		func() bool {
-			return supportsSeccomp
+			return supportsSeccomp && SysInfo.Seccomp
 		},
 		"Test requires that seccomp support be enabled in the daemon.",
 	}

pkg/sysinfo/sysinfo.go

@@ -7,6 +7,8 @@ import "github.com/docker/docker/pkg/parsers"
 type SysInfo struct {
 	// Whether the kernel supports AppArmor or not
 	AppArmor bool
+	// Whether the kernel supports Seccomp or not
+	Seccomp bool
 
 	cgroupMemInfo
 	cgroupCPUInfo

pkg/sysinfo/sysinfo_linux.go

@@ -5,11 +5,17 @@ import (
 	"os"
 	"path"
 	"strings"
+	"syscall"
 
 	"github.com/Sirupsen/logrus"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 )
 
+const (
+	// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
+	SeccompModeFilter = uintptr(2)
+)
+
 // New returns a new SysInfo, using the filesystem to detect which features
 // the kernel supports. If `quiet` is `false` warnings are printed in logs
 // whenever an error occurs or misconfigurations are present.
@@ -32,6 +38,14 @@ func New(quiet bool) *SysInfo {
 		sysInfo.AppArmor = true
 	}
 
+	// Check if Seccomp is supported, via CONFIG_SECCOMP.
+	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
+		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+		if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
+			sysInfo.Seccomp = true
+		}
+	}
+
 	return sysInfo
 }