check seccomp is configured in the kernel

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-01-11 11:44:34 -08:00 · 2016-01-11 11:44:34 -08:00 · 40d5ced9d0
commit 40d5ced9d0
parent 47074030f6
5 changed files with 27 additions and 1 deletions
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@ -242,6 +242,14 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro
 	}
 	uidMap, gidMap := daemon.GetUIDGIDMaps()

+	if !daemon.seccompEnabled {
+		if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
+			return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
+		}
+		logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
+		c.SeccompProfile = "unconfined"
+	}
+
 	defaultCgroupParent := "/docker"
 	if daemon.configStore.CgroupParent != "" {
 		defaultCgroupParent = daemon.configStore.CgroupParent
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@ -157,6 +157,7 @@ type Daemon struct {
 	volumes                   *store.VolumeStore
 	discoveryWatcher          discovery.Watcher
 	root                      string
+	seccompEnabled            bool
 	shutdown                  bool
 	uidMaps                   []idtools.IDMap
 	gidMaps                   []idtools.IDMap
@ -851,6 +852,7 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo
 	d.root = config.Root
 	d.uidMaps = uidMaps
 	d.gidMaps = gidMaps
+	d.seccompEnabled = sysInfo.Seccomp

 	if err := d.cleanupMounts(); err != nil {
 		return nil, err
--- a/integration-cli/requirements_unix.go
+++ b/integration-cli/requirements_unix.go
@ -77,7 +77,7 @@ var (
 	}
 	seccompEnabled = testRequirement{
 		func() bool {
-			return supportsSeccomp
+			return supportsSeccomp && SysInfo.Seccomp
 		},
 		"Test requires that seccomp support be enabled in the daemon.",
 	}
--- a/pkg/sysinfo/sysinfo.go
+++ b/pkg/sysinfo/sysinfo.go
@ -7,6 +7,8 @@ import "github.com/docker/docker/pkg/parsers"
 type SysInfo struct {
 	// Whether the kernel supports AppArmor or not
 	AppArmor bool
+	// Whether the kernel supports Seccomp or not
+	Seccomp bool

 	cgroupMemInfo
 	cgroupCPUInfo
--- a/pkg/sysinfo/sysinfo_linux.go
+++ b/pkg/sysinfo/sysinfo_linux.go
@ -5,11 +5,17 @@ import (
 	"os"
 	"path"
 	"strings"
+	"syscall"

 	"github.com/Sirupsen/logrus"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 )

+const (
+	// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
+	SeccompModeFilter = uintptr(2)
+)
+
 // New returns a new SysInfo, using the filesystem to detect which features
 // the kernel supports. If `quiet` is `false` warnings are printed in logs
 // whenever an error occurs or misconfigurations are present.
@ -32,6 +38,14 @@ func New(quiet bool) *SysInfo {
 		sysInfo.AppArmor = true
 	}

+	// Check if Seccomp is supported, via CONFIG_SECCOMP.
+	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
+		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+		if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
+			sysInfo.Seccomp = true
+		}
+	}
+
 	return sysInfo
 }