[lxc-devel] [lxd/master] seccomp: detect listener support
brauner on Github
lxc-bot at linuxcontainers.org
Wed Apr 24 17:01:00 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190424/de24a2dc/attachment.bin>
-------------- next part --------------
From 62c5c19d40b5afeecd331512da0fc3c51a7c6a9e Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 24 Apr 2019 19:00:11 +0200
Subject: [PATCH] seccomp: detect listener support
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
lxd/daemon.go | 7 +++++++
lxd/main_checkfeature.go | 23 +++++++++++++++++++++++
lxd/sys/os.go | 1 +
3 files changed, 31 insertions(+)
diff --git a/lxd/daemon.go b/lxd/daemon.go
index ac7fc039e5..1dc254cce1 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -504,6 +504,13 @@ func (d *Daemon) init() error {
logger.Infof(" - uevent injection: no")
}
+ d.os.SeccompListener = CanUseSeccompListener()
+ if d.os.SeccompListener {
+ logger.Infof(" - seccomp listener: yes")
+ } else {
+ logger.Infof(" - seccomp listener: no")
+ }
+
/*
* During daemon startup we're the only thread that touches VFS3Fscaps
* so we don't need to bother with atomic.StoreInt32() when touching
diff --git a/lxd/main_checkfeature.go b/lxd/main_checkfeature.go
index ccd1070dd6..3b12811b0c 100644
--- a/lxd/main_checkfeature.go
+++ b/lxd/main_checkfeature.go
@@ -18,12 +18,18 @@ import (
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
+#include <syscall.h>
+#include <linux/seccomp.h>
+#include <linux/filter.h>
+#include <linux/audit.h>
+#include <sys/ptrace.h>
#include "../shared/netns_getifaddrs.c"
#include "include/memory_utils.h"
bool netnsid_aware = false;
bool uevent_aware = false;
+bool seccomp_notify_aware = false;
char errbuf[4096];
extern int can_inject_uevent(const char *uevent, size_t len);
@@ -125,12 +131,25 @@ void is_uevent_aware()
uevent_aware = true;
}
+#ifndef SECCOMP_RET_USER_NOTIF
+#define SECCOMP_RET_USER_NOTIF 0x7fc00000U
+#endif
+
+void is_seccomp_notify_aware(void)
+{
+ __u32 action[] = { SECCOMP_RET_USER_NOTIF };
+ seccomp_notify_aware = (syscall(__NR_seccomp, SECCOMP_GET_ACTION_AVAIL,
+ 0, &action[0]) == 0);
+
+}
+
void checkfeature()
{
__do_close_prot_errno int hostnetns_fd = -EBADF, newnetns_fd = -EBADF;
is_netnsid_aware(&hostnetns_fd, &newnetns_fd);
is_uevent_aware();
+ is_seccomp_notify_aware();
if (setns(hostnetns_fd, CLONE_NEWNET) < 0)
(void)sprintf(errbuf, "%s", "Failed to attach to host network namespace");
@@ -156,3 +175,7 @@ func CanUseNetnsGetifaddrs() bool {
func CanUseUeventInjection() bool {
return bool(C.uevent_aware)
}
+
+func CanUseSeccompListener() bool {
+ return bool(C.seccomp_notify_aware)
+}
diff --git a/lxd/sys/os.go b/lxd/sys/os.go
index 4d548734fa..e65f4eb173 100644
--- a/lxd/sys/os.go
+++ b/lxd/sys/os.go
@@ -60,6 +60,7 @@ type OS struct {
InotifyWatch InotifyInfo
NetnsGetifaddrs bool
UeventInjection bool
+ SeccompListener bool
VFS3Fscaps bool
Shiftfs bool
More information about the lxc-devel
mailing list