[lxc-devel] [lxd/master] seccomp: detect listener support

Wed Apr 24 17:01:00 UTC 2019

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190424/de24a2dc/attachment.bin>
-------------- next part --------------
From 62c5c19d40b5afeecd331512da0fc3c51a7c6a9e Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 24 Apr 2019 19:00:11 +0200
Subject: [PATCH] seccomp: detect listener support

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/daemon.go            |  7 +++++++
 lxd/main_checkfeature.go | 23 +++++++++++++++++++++++
 lxd/sys/os.go            |  1 +
 3 files changed, 31 insertions(+)

diff --git a/lxd/daemon.go b/lxd/daemon.go
index ac7fc039e5..1dc254cce1 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -504,6 +504,13 @@ func (d *Daemon) init() error {
 		logger.Infof(" - uevent injection: no")
 	}
 
+	d.os.SeccompListener = CanUseSeccompListener()
+	if d.os.SeccompListener {
+		logger.Infof(" - seccomp listener: yes")
+	} else {
+		logger.Infof(" - seccomp listener: no")
+	}
+
 	/*
 	 * During daemon startup we're the only thread that touches VFS3Fscaps
 	 * so we don't need to bother with atomic.StoreInt32() when touching
diff --git a/lxd/main_checkfeature.go b/lxd/main_checkfeature.go
index ccd1070dd6..3b12811b0c 100644
--- a/lxd/main_checkfeature.go
+++ b/lxd/main_checkfeature.go
@@ -18,12 +18,18 @@ import (
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
+#include <syscall.h>
+#include <linux/seccomp.h>
+#include <linux/filter.h>
+#include <linux/audit.h>
+#include <sys/ptrace.h>
 
 #include "../shared/netns_getifaddrs.c"
 #include "include/memory_utils.h"
 
 bool netnsid_aware = false;
 bool uevent_aware = false;
+bool seccomp_notify_aware = false;
 char errbuf[4096];
 
 extern int can_inject_uevent(const char *uevent, size_t len);
@@ -125,12 +131,25 @@ void is_uevent_aware()
 	uevent_aware = true;
 }
 
+#ifndef SECCOMP_RET_USER_NOTIF
+#define SECCOMP_RET_USER_NOTIF 0x7fc00000U
+#endif
+
+void is_seccomp_notify_aware(void)
+{
+	__u32 action[] = { SECCOMP_RET_USER_NOTIF };
+	seccomp_notify_aware = (syscall(__NR_seccomp, SECCOMP_GET_ACTION_AVAIL,
+					0, &action[0]) == 0);
+
+}
+
 void checkfeature()
 {
 	__do_close_prot_errno int hostnetns_fd = -EBADF, newnetns_fd = -EBADF;
 
 	is_netnsid_aware(&hostnetns_fd, &newnetns_fd);
 	is_uevent_aware();
+	is_seccomp_notify_aware();
 
 	if (setns(hostnetns_fd, CLONE_NEWNET) < 0)
 		(void)sprintf(errbuf, "%s", "Failed to attach to host network namespace");
@@ -156,3 +175,7 @@ func CanUseNetnsGetifaddrs() bool {
 func CanUseUeventInjection() bool {
 	return bool(C.uevent_aware)
 }
+
+func CanUseSeccompListener() bool {
+	return bool(C.seccomp_notify_aware)
+}
diff --git a/lxd/sys/os.go b/lxd/sys/os.go
index 4d548734fa..e65f4eb173 100644
--- a/lxd/sys/os.go
+++ b/lxd/sys/os.go
@@ -60,6 +60,7 @@ type OS struct {
 	InotifyWatch            InotifyInfo
 	NetnsGetifaddrs         bool
 	UeventInjection         bool
+	SeccompListener         bool
 	VFS3Fscaps              bool
 	Shiftfs                 bool
 
