[lxc-devel] [lxd/master] seccomp: improve bpf support detection

brauner on Github lxc-bot at linuxcontainers.org
Tue Sep 22 10:17:14 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200922/1703204f/attachment.bin>
-------------- next part --------------
From cbad2635672f8d91e0f09a2ae7c000e7c3c0bb27 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Tue, 22 Sep 2020 12:14:32 +0200
Subject: [PATCH 1/2] seccomp: fix bpf support detection

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/seccomp/seccomp.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index 2ac72d7b08..8f61a116ce 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -265,7 +265,7 @@ static void prepare_seccomp_iovec(struct iovec *iov,
 // bpf.h similar to what we do for seccomp itself. But that's annoying since bpf.h is quite
 // large. So users that want bpf interception support should make sure to have the relevant
 // header available at build time.
-#ifndef BPF_DEVCG_DEV_CHAR
+#ifdef BPF_DEVCG_DEV_CHAR
 static inline int pidfd_getfd(int pidfd, int fd, int flags)
 {
 	return syscall(__NR_pidfd_getfd, pidfd, fd, flags);

From d387805be00fc51b03478e9a35948c029945ffaf Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Tue, 22 Sep 2020 12:14:55 +0200
Subject: [PATCH 2/2] seccomp: improve bpf support detection

Newer kernels have turned BPF_DEVCG_DEV_CHAR from a define into enum. Enums
can't be detected at compile time with go so switch to BPF_F_ALLOW_MULTI as
indicator whether bpf is fully supported on this kernel.
If they turn that into an enum to at some point we'll just "vendor" bpf the
same way we vendor seccomp.

Closes: #7909
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/seccomp/seccomp.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index 8f61a116ce..e46b99573e 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -265,7 +265,7 @@ static void prepare_seccomp_iovec(struct iovec *iov,
 // bpf.h similar to what we do for seccomp itself. But that's annoying since bpf.h is quite
 // large. So users that want bpf interception support should make sure to have the relevant
 // header available at build time.
-#ifdef BPF_DEVCG_DEV_CHAR
+#ifdef BPF_F_ALLOW_MULTI
 static inline int pidfd_getfd(int pidfd, int fd, int flags)
 {
 	return syscall(__NR_pidfd_getfd, pidfd, fd, flags);

More information about the lxc-devel mailing list