mirror of
https://github.com/containers/podman.git
synced 2025-12-11 01:11:30 +08:00
a4390cd898
Bumps [github.com/containers/common](https://github.com/containers/common) from 0.35.3 to 0.35.4. - [Release notes](https://github.com/containers/common/releases) - [Commits](https://github.com/containers/common/compare/v0.35.3...v0.35.4) Signed-off-by: dependabot[bot] <support@github.com>
50 lines
1.4 KiB
Go
50 lines
1.4 KiB
Go
// +build linux,seccomp
|
|
|
|
package seccomp
|
|
|
|
import (
|
|
"sync"
|
|
|
|
"golang.org/x/sys/unix"
|
|
)
|
|
|
|
var (
|
|
supported bool
|
|
supOnce sync.Once
|
|
)
|
|
|
|
// IsSupported returns true if the system has been configured to support
|
|
// seccomp (including the check for CONFIG_SECCOMP_FILTER kernel option).
|
|
func IsSupported() bool {
|
|
// Excerpts from prctl(2), section ERRORS:
|
|
//
|
|
// EACCES
|
|
// option is PR_SET_SECCOMP and arg2 is SECCOMP_MODE_FILTER, but
|
|
// the process does not have the CAP_SYS_ADMIN capability or has
|
|
// not set the no_new_privs attribute <...>.
|
|
// <...>
|
|
// EFAULT
|
|
// option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER, the
|
|
// system was built with CONFIG_SECCOMP_FILTER, and arg3 is an
|
|
// invalid address.
|
|
// <...>
|
|
// EINVAL
|
|
// option is PR_SET_SECCOMP or PR_GET_SECCOMP, and the kernel
|
|
// was not configured with CONFIG_SECCOMP.
|
|
//
|
|
// EINVAL
|
|
// option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER,
|
|
// and the kernel was not configured with CONFIG_SECCOMP_FILTER.
|
|
// <end of quote>
|
|
//
|
|
// Meaning, in case these kernel options are set (this is what we check
|
|
// for here), we will get some other error (most probably EACCES or
|
|
// EFAULT). IOW, EINVAL means "seccomp not supported", any other error
|
|
// means it is supported.
|
|
|
|
supOnce.Do(func() {
|
|
supported = unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0) != unix.EINVAL
|
|
})
|
|
return supported
|
|
}
|