[lxc-devel] [lxd/master] seccomp: fix compilation on kernels without proper bpf.h

brauner on Github lxc-bot at linuxcontainers.org
Wed Sep 9 12:33:09 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 854 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200909/f813198b/attachment.bin>
-------------- next part --------------
From 571f8d60ff099673facf7f99916b79ba29d11e72 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 9 Sep 2020 14:30:10 +0200
Subject: [PATCH] seccomp: fix compilation on kernels without proper bpf.h

We use the BPF_DEVCG_DEV_CHAR macro as a cheap way to detect whether the kernel
has the correct headers available to be compiled for bpf support. Since cgo
doesn't have a good way of letting us probe for structs or enums the
alternative would be to vendor bpf.h similar to what we do for seccomp itself.
But that's annoying since bpf.h is quite large. So users that want bpf
interception support should make sure to have the relevant header available at
build time.

Closes: #7849
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/seccomp/seccomp.go | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index 61825f3abf..2ac72d7b08 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -259,6 +259,13 @@ static void prepare_seccomp_iovec(struct iovec *iov,
 	iov[3].iov_len = SECCOMP_COOKIE_SIZE;
 }
 
+// We use the BPF_DEVCG_DEV_CHAR macro as a cheap way to detect whether the kernel has
+// the correct headers available to be compiled for bpf support. Since cgo doesn't have
+// a good way of letting us probe for structs or enums the alternative would be to vendor
+// bpf.h similar to what we do for seccomp itself. But that's annoying since bpf.h is quite
+// large. So users that want bpf interception support should make sure to have the relevant
+// header available at build time.
+#ifndef BPF_DEVCG_DEV_CHAR
 static inline int pidfd_getfd(int pidfd, int fd, int flags)
 {
 	return syscall(__NR_pidfd_getfd, pidfd, fd, flags);
@@ -419,6 +426,17 @@ static int handle_bpf_syscall(int notify_fd, int mem_fd, struct seccomp_notify_p
 	return ret;
 }
 
+#else // !BPF_DEVCG_DEV_CHAR
+
+static int handle_bpf_syscall(int notify_fd, int mem_fd, struct seccomp_notify_proxy_msg *msg,
+			      struct seccomp_notif *req, struct seccomp_notif_resp *resp,
+			      int *bpf_cmd, int *bpf_prog_type, int *bpf_attach_type)
+{
+	errno = ENOSYS;
+	return -errno;
+}
+#endif // BPF_DEVCG_DEV_CHAR
+
 #ifndef MS_LAZYTIME
 #define MS_LAZYTIME (1<<25)
 #endif

More information about the lxc-devel mailing list