diff options
| author | Evgeny Vereshchagin <evvers@ya.ru> | 2016-09-07 06:44:06 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-09-07 06:44:06 +0300 |
| commit | c5d5fc91eba8541a3a86ff6b839a2b6e824f4149 (patch) | |
| tree | 5ac8a407c10f16e024b07a92a1d14f89b43244c5 | |
| parent | 29272d9e03b85deafe30ff79aa291afe7cceb430 (diff) | |
| parent | fd74fa791f95433ac52520764b67e6fb4bda2c0e (diff) | |
Merge pull request #4087 from fsateler/detect-seccomp-filter
seccomp: also detect if seccomp filtering is available
| -rw-r--r-- | README | 1 | ||||
| -rw-r--r-- | src/core/execute.c | 2 | ||||
| -rw-r--r-- | src/nspawn/nspawn-seccomp.c | 10 | ||||
| -rw-r--r-- | src/shared/seccomp-util.c | 19 |
4 files changed, 22 insertions, 10 deletions
@@ -79,6 +79,7 @@ REQUIREMENTS: CONFIG_TMPFS_XATTR CONFIG_{TMPFS,EXT4,XFS,BTRFS_FS,...}_POSIX_ACL CONFIG_SECCOMP + CONFIG_SECCOMP_FILTER (required for seccomp support) CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall) Required for CPUShares= in resource control unit settings diff --git a/src/core/execute.c b/src/core/execute.c index 55f15d7e49..2026137721 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1077,7 +1077,7 @@ static void rename_process_from_path(const char *path) { static bool skip_seccomp_unavailable(const Unit* u, const char* msg) { if (!is_seccomp_available()) { log_open(); - log_unit_debug(u, "SECCOMP not detected in the kernel, skipping %s", msg); + log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg); log_close(); return true; } diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 3ab7160ebe..44a0b397ab 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -130,6 +130,11 @@ int setup_seccomp(uint64_t cap_list_retain) { scmp_filter_ctx seccomp; int r; + if (!is_seccomp_available()) { + log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP audit filter"); + return 0; + } + seccomp = seccomp_init(SCMP_ACT_ALLOW); if (!seccomp) return log_oom(); @@ -173,11 +178,6 @@ int setup_seccomp(uint64_t cap_list_retain) { } r = seccomp_load(seccomp); - if (r == -EINVAL) { - log_debug_errno(r, "Kernel is probably not configured with CONFIG_SECCOMP. Disabling seccomp audit filter: %m"); - r = 0; - goto finish; - } if (r < 0) { log_error_errno(r, "Failed to install seccomp audit filter: %m"); goto finish; diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 6c489284d1..2f42381fc1 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -20,9 +20,9 @@ #include <errno.h> #include <seccomp.h> #include <stddef.h> +#include <sys/prctl.h> +#include <linux/seccomp.h> -#include "alloc-util.h" -#include "fileio.h" #include "macro.h" #include "seccomp-util.h" #include "string-util.h" @@ -91,11 +91,22 @@ int seccomp_add_secondary_archs(scmp_filter_ctx *c) { } +static bool is_basic_seccomp_available(void) { + int r; + r = prctl(PR_GET_SECCOMP, 0, 0, 0, 0); + return r >= 0; +} + +static bool is_seccomp_filter_available(void) { + int r; + r = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); + return r < 0 && errno == EFAULT; +} + bool is_seccomp_available(void) { - _cleanup_free_ char* field = NULL; static int cached_enabled = -1; if (cached_enabled < 0) - cached_enabled = get_proc_field("/proc/self/status", "Seccomp", "\n", &field) == 0; + cached_enabled = is_basic_seccomp_available() && is_seccomp_filter_available(); return cached_enabled; } |