opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-12-03 19:59:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

vendor: update seccomp/containers-golang to v0.4.1

Browse Source 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano
2020-05-20 22:50:26 +02:00
parent 8b49d10550
commit e51bccec0c
18 changed files with 450 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
vendor/github.com/seccomp/containers-golang/seccomp_linux.go generated vendored
View File

@@ -1,5 +1,9 @@
// +build seccomp
// SPDX-License-Identifier: Apache-2.0
// Copyright 2013-2018 Docker, Inc.
package seccomp // import "github.com/seccomp/containers-golang"
import (
@@ -9,6 +13,7 @@ import (
"github.com/opencontainers/runtime-spec/specs-go"
libseccomp "github.com/seccomp/libseccomp-golang"
"golang.org/x/sys/unix"
)
//go:generate go run -tags 'seccomp' generate.go
@@ -22,11 +27,25 @@ func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
var config Seccomp
if err := json.Unmarshal([]byte(body), &config); err != nil {
return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)
return nil, fmt.Errorf("decoding seccomp profile failed: %v", err)
}
return setupSeccomp(&config, rs)
}
// LoadProfileFromBytes takes a byte slice and decodes the seccomp profile.
func LoadProfileFromBytes(body []byte, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
config := &Seccomp{}
if err := json.Unmarshal(body, config); err != nil {
return nil, fmt.Errorf("decoding seccomp profile failed: %v", err)
}
return setupSeccomp(config, rs)
}
// LoadProfileFromConfig takes a Seccomp struct and a spec to retrieve a LinuxSeccomp
func LoadProfileFromConfig(config *Seccomp, specgen *specs.Spec) (*specs.LinuxSeccomp, error) {
return setupSeccomp(config, specgen)
}
var nativeToSeccomp = map[string]Arch{
"amd64": ArchX86_64,
"arm64": ArchAARCH64,
@@ -127,21 +146,22 @@ Loop:
}
if call.Name != "" {
newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args))
newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args, call.ErrnoRet))
}
for _, n := range call.Names {
newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args))
if len(call.Names) > 0 {
newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args, call.ErrnoRet))
}
}
return newConfig, nil
}
func createSpecsSyscall(name string, action Action, args []*Arg) specs.LinuxSyscall {
func createSpecsSyscall(names []string, action Action, args []*Arg, errnoRet *uint) specs.LinuxSyscall {
newCall := specs.LinuxSyscall{
Names: []string{name},
Action: specs.LinuxSeccompAction(action),
Names: names,
Action: specs.LinuxSeccompAction(action),
ErrnoRet: errnoRet,
}
// Loop through all the arguments of the syscall and convert them
@@ -157,3 +177,15 @@ func createSpecsSyscall(name string, action Action, args []*Arg) specs.LinuxSysc
}
return newCall
}
// IsEnabled returns true if seccomp is enabled for the host.
func IsEnabled() bool {
// Check if Seccomp is supported, via CONFIG_SECCOMP.
if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
return true
}
}
return false
}