Merge pull request #38683 from tonistiigi/ptrace-seccomp-update

seccomp: review update for ptrace support

profiles/seccomp/default.json

@@ -374,7 +374,7 @@
 			"args": null,
 			"comment": "",
 			"includes": {
-				"minKernel": "4.8.0"
+				"minKernel": "4.8"
 			},
 			"excludes": {}
 		},

profiles/seccomp/seccomp.go

@@ -96,21 +96,6 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e
 
 	newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)
 
-	var currentKernelVersion *kernel.VersionInfo
-	kernelGreaterEqualThan := func(v string) (bool, error) {
-		version, err := kernel.ParseRelease(v)
-		if err != nil {
-			return false, err
-		}
-		if currentKernelVersion == nil {
-			currentKernelVersion, err = kernel.GetKernelVersion()
-			if err != nil {
-				return false, err
-			}
-		}
-		return kernel.CompareKernelVersion(*version, *currentKernelVersion) <= 0, nil
-	}
-
 Loop:
 	// Loop through all syscall blocks and convert them to libcontainer format after filtering them
 	for _, call := range config.Syscalls {
@@ -188,3 +173,19 @@ func createSpecsSyscall(name string, action types.Action, args []*types.Arg) spe
 	}
 	return newCall
 }
+
+var currentKernelVersion *kernel.VersionInfo
+
+func kernelGreaterEqualThan(v string) (bool, error) {
+	version, err := kernel.ParseRelease(v)
+	if err != nil {
+		return false, err
+	}
+	if currentKernelVersion == nil {
+		currentKernelVersion, err = kernel.GetKernelVersion()
+		if err != nil {
+			return false, err
+		}
+	}
+	return kernel.CompareKernelVersion(*version, *currentKernelVersion) <= 0, nil
+}

profiles/seccomp/seccomp_default.go

@@ -360,7 +360,7 @@ func DefaultProfile() *types.Seccomp {
 			Names:  []string{"ptrace"},
 			Action: types.ActAllow,
 			Includes: types.Filter{
-				MinKernel: "4.8.0",
+				MinKernel: "4.8",
 			},
 		},
 		{