mirror of
https://github.com/containers/podman.git
synced 2025-12-02 02:58:03 +08:00
7c8c945496
Pull in updates made to the filters code for images. Filters now perform an AND operation except for th reference filter which does an OR operation for positive case but an AND operation for negative cases. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
50 lines
1.4 KiB
Go
50 lines
1.4 KiB
Go
//go:build linux && seccomp
|
|
|
|
package seccomp
|
|
|
|
import (
|
|
"sync"
|
|
|
|
"golang.org/x/sys/unix"
|
|
)
|
|
|
|
var (
|
|
supported bool
|
|
supOnce sync.Once
|
|
)
|
|
|
|
// IsSupported returns true if the system has been configured to support
|
|
// seccomp (including the check for CONFIG_SECCOMP_FILTER kernel option).
|
|
func IsSupported() bool {
|
|
// Excerpts from prctl(2), section ERRORS:
|
|
//
|
|
// EACCES
|
|
// option is PR_SET_SECCOMP and arg2 is SECCOMP_MODE_FILTER, but
|
|
// the process does not have the CAP_SYS_ADMIN capability or has
|
|
// not set the no_new_privs attribute <...>.
|
|
// <...>
|
|
// EFAULT
|
|
// option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER, the
|
|
// system was built with CONFIG_SECCOMP_FILTER, and arg3 is an
|
|
// invalid address.
|
|
// <...>
|
|
// EINVAL
|
|
// option is PR_SET_SECCOMP or PR_GET_SECCOMP, and the kernel
|
|
// was not configured with CONFIG_SECCOMP.
|
|
//
|
|
// EINVAL
|
|
// option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER,
|
|
// and the kernel was not configured with CONFIG_SECCOMP_FILTER.
|
|
// <end of quote>
|
|
//
|
|
// Meaning, in case these kernel options are set (this is what we check
|
|
// for here), we will get some other error (most probably EACCES or
|
|
// EFAULT). IOW, EINVAL means "seccomp not supported", any other error
|
|
// means it is supported.
|
|
|
|
supOnce.Do(func() {
|
|
supported = unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0) != unix.EINVAL
|
|
})
|
|
return supported
|
|
}
|