core: do not fail at step SECCOMP if there is no kernel support (#4004)

Fixes #3882
author: Felipe Sateler <fsateler@users.noreply.github.com> 2016-08-22 16:40:58 -0300
committer: Evgeny Vereshchagin <evvers@ya.ru> 2016-08-22 22:40:58 +0300
commit: 83f12b27d14853e7c89a326f7cd31a6c739d378e (patch)
tree: a422aeadd910a844174690dea8e415069e799470 /src/shared
parent: 05b4d3b55c0a60aa17817d51129f2bc83914c1f4 (diff)
2 files changed, 12 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 8656d112b8..4667f508c7 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -21,6 +21,8 @@
 #include <seccomp.h>
 #include <stddef.h>
 
+#include "alloc-util.h"
+#include "fileio.h"
 #include "macro.h"
 #include "seccomp-util.h"
 #include "string-util.h"
@@ -89,6 +91,14 @@ int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
 
 }
 
+bool is_seccomp_available(void) {
+        _cleanup_free_ char* field = NULL;
+        static int cached_enabled = -1;
+        if (cached_enabled < 0)
+                cached_enabled = get_proc_field("/proc/self/status", "Seccomp", "\n", &field) == 0;
+        return cached_enabled;
+}
+
 const SystemCallFilterSet syscall_filter_sets[] = {
         {
                 /* Clock */
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index be33eecb85..cca7c17912 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -27,6 +27,8 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret);
 
 int seccomp_add_secondary_archs(scmp_filter_ctx *c);
 
+bool is_seccomp_available(void);
+
 typedef struct SystemCallFilterSet {
         const char *set_name;
         const char *value;
author	Felipe Sateler <fsateler@users.noreply.github.com>	2016-08-22 16:40:58 -0300
committer	Evgeny Vereshchagin <evvers@ya.ru>	2016-08-22 22:40:58 +0300
commit	83f12b27d14853e7c89a326f7cd31a6c739d378e (patch)
tree	a422aeadd910a844174690dea8e415069e799470 /src/shared
parent	05b4d3b55c0a60aa17817d51129f2bc83914c1f4 (diff)