9 years ago · 293b3767c8
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -238,6 +238,14 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro
 
				 	}
			
 
				 	uidMap, gidMap := daemon.GetUIDGIDMaps()
			
 
				 
			
 
				+	if !daemon.seccompEnabled {
			
 
				+		if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
			
 
				+			return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
			
 
				+		}
			
 
				+		logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
			
 
				+		c.SeccompProfile = "unconfined"
			
 
				+	}
			
 
				+
			
 
				 	defaultCgroupParent := "/docker"
			
 
				 	if daemon.configStore.CgroupParent != "" {
			
 
				 		defaultCgroupParent = daemon.configStore.CgroupParent
			
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -157,6 +157,7 @@ type Daemon struct {
 
				 	volumes                   *store.VolumeStore
			
 
				 	discoveryWatcher          discovery.Watcher
			
 
				 	root                      string
			
 
				+	seccompEnabled            bool
			
 
				 	shutdown                  bool
			
 
				 	uidMaps                   []idtools.IDMap
			
 
				 	gidMaps                   []idtools.IDMap
			
@@ -821,6 +822,7 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo
 
				 	d.root = config.Root
			
 
				 	d.uidMaps = uidMaps
			
 
				 	d.gidMaps = gidMaps
			
 
				+	d.seccompEnabled = sysInfo.Seccomp
			
 
				 
			
 
				 	d.nameIndex = registrar.NewRegistrar()
			
 
				 	d.linkIndex = newLinkIndex()
			
--- a/integration-cli/requirements_unix.go
+++ b/integration-cli/requirements_unix.go
@@ -77,7 +77,7 @@ var (
 
				 	}
			
 
				 	seccompEnabled = testRequirement{
			
 
				 		func() bool {
			
 
				-			return supportsSeccomp
			
 
				+			return supportsSeccomp && SysInfo.Seccomp
			
 
				 		},
			
 
				 		"Test requires that seccomp support be enabled in the daemon.",
			
 
				 	}
			
--- a/pkg/sysinfo/sysinfo.go
+++ b/pkg/sysinfo/sysinfo.go
@@ -7,6 +7,8 @@ import "github.com/docker/docker/pkg/parsers"
 
				 type SysInfo struct {
			
 
				 	// Whether the kernel supports AppArmor or not
			
 
				 	AppArmor bool
			
 
				+	// Whether the kernel supports Seccomp or not
			
 
				+	Seccomp bool
			
 
				 
			
 
				 	cgroupMemInfo
			
 
				 	cgroupCPUInfo
			
--- a/pkg/sysinfo/sysinfo_linux.go
+++ b/pkg/sysinfo/sysinfo_linux.go
@@ -5,11 +5,17 @@ import (
 
				 	"os"
			
 
				 	"path"
			
 
				 	"strings"
			
 
				+	"syscall"
			
 
				 
			
 
				 	"github.com/Sirupsen/logrus"
			
 
				 	"github.com/opencontainers/runc/libcontainer/cgroups"
			
 
				 )
			
 
				 
			
 
				+const (
			
 
				+	// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
			
 
				+	SeccompModeFilter = uintptr(2)
			
 
				+)
			
 
				+
			
 
				 // New returns a new SysInfo, using the filesystem to detect which features
			
 
				 // the kernel supports. If `quiet` is `false` warnings are printed in logs
			
 
				 // whenever an error occurs or misconfigurations are present.
			
@@ -32,6 +38,14 @@ func New(quiet bool) *SysInfo {
 
				 		sysInfo.AppArmor = true
			
 
				 	}
			
 
				 
			
 
				+	// Check if Seccomp is supported, via CONFIG_SECCOMP.
			
 
				+	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
			
 
				+		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
			
 
				+		if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
			
 
				+			sysInfo.Seccomp = true
			
 
				+		}
			
 
				+	}
			
 
				+
			
 
				 	return sysInfo
			
 
				 }