From 40d5ced9d00113744555ff13f4e62617dda5f1e2 Mon Sep 17 00:00:00 2001 From: Jessica Frazelle Date: Mon, 11 Jan 2016 11:44:34 -0800 Subject: [PATCH] check seccomp is configured in the kernel Signed-off-by: Jessica Frazelle --- daemon/container_operations_unix.go | 8 ++++++++ daemon/daemon.go | 2 ++ integration-cli/requirements_unix.go | 2 +- pkg/sysinfo/sysinfo.go | 2 ++ pkg/sysinfo/sysinfo_linux.go | 14 ++++++++++++++ 5 files changed, 27 insertions(+), 1 deletion(-) diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go index 9840fa2b0f..c03f8c46b0 100644 --- a/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go @@ -242,6 +242,14 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro } uidMap, gidMap := daemon.GetUIDGIDMaps() + if !daemon.seccompEnabled { + if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" { + return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.") + } + logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.") + c.SeccompProfile = "unconfined" + } + defaultCgroupParent := "/docker" if daemon.configStore.CgroupParent != "" { defaultCgroupParent = daemon.configStore.CgroupParent diff --git a/daemon/daemon.go b/daemon/daemon.go index b23543a52a..c670e6b2df 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -157,6 +157,7 @@ type Daemon struct { volumes *store.VolumeStore discoveryWatcher discovery.Watcher root string + seccompEnabled bool shutdown bool uidMaps []idtools.IDMap gidMaps []idtools.IDMap @@ -851,6 +852,7 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo d.root = config.Root d.uidMaps = uidMaps d.gidMaps = gidMaps + d.seccompEnabled = sysInfo.Seccomp if err := d.cleanupMounts(); err != nil { return nil, err diff --git a/integration-cli/requirements_unix.go b/integration-cli/requirements_unix.go index 5110b9bda3..e71ffd1beb 100644 --- a/integration-cli/requirements_unix.go +++ b/integration-cli/requirements_unix.go @@ -77,7 +77,7 @@ var ( } seccompEnabled = testRequirement{ func() bool { - return supportsSeccomp + return supportsSeccomp && SysInfo.Seccomp }, "Test requires that seccomp support be enabled in the daemon.", } diff --git a/pkg/sysinfo/sysinfo.go b/pkg/sysinfo/sysinfo.go index 8ec1ceb726..285b3ba58f 100644 --- a/pkg/sysinfo/sysinfo.go +++ b/pkg/sysinfo/sysinfo.go @@ -7,6 +7,8 @@ import "github.com/docker/docker/pkg/parsers" type SysInfo struct { // Whether the kernel supports AppArmor or not AppArmor bool + // Whether the kernel supports Seccomp or not + Seccomp bool cgroupMemInfo cgroupCPUInfo diff --git a/pkg/sysinfo/sysinfo_linux.go b/pkg/sysinfo/sysinfo_linux.go index ef3410cfae..59d53796cb 100644 --- a/pkg/sysinfo/sysinfo_linux.go +++ b/pkg/sysinfo/sysinfo_linux.go @@ -5,11 +5,17 @@ import ( "os" "path" "strings" + "syscall" "github.com/Sirupsen/logrus" "github.com/opencontainers/runc/libcontainer/cgroups" ) +const ( + // SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER. + SeccompModeFilter = uintptr(2) +) + // New returns a new SysInfo, using the filesystem to detect which features // the kernel supports. If `quiet` is `false` warnings are printed in logs // whenever an error occurs or misconfigurations are present. @@ -32,6 +38,14 @@ func New(quiet bool) *SysInfo { sysInfo.AppArmor = true } + // Check if Seccomp is supported, via CONFIG_SECCOMP. + if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL { + // Make sure the kernel has CONFIG_SECCOMP_FILTER. + if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL { + sysInfo.Seccomp = true + } + } + return sysInfo }