Skip to content
This repository was archived by the owner on Mar 9, 2022. It is now read-only.

Commit 9528e30

Browse files
AkihiroSudaAkihiroSuda
authored
Merge pull request #1558 from cpuguy83/1.3_no_libseccomp
[1.3] remove libseccomp cgo dependency
2 parents f864905 + 5267802 commit 9528e30

14 files changed

Lines changed: 209 additions & 1945 deletions

File tree

pkg/seccomp/fixtures/proc_self_status

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
Name: cat
2+
State: R (running)
3+
Tgid: 19383
4+
Ngid: 0
5+
Pid: 19383
6+
PPid: 19275
7+
TracerPid: 0
8+
Uid: 1000 1000 1000 1000
9+
Gid: 1000 1000 1000 1000
10+
FDSize: 256
11+
Groups: 24 25 27 29 30 44 46 102 104 108 111 1000 1001
12+
NStgid: 19383
13+
NSpid: 19383
14+
NSpgid: 19383
15+
NSsid: 19275
16+
VmPeak: 5944 kB
17+
VmSize: 5944 kB
18+
VmLck: 0 kB
19+
VmPin: 0 kB
20+
VmHWM: 744 kB
21+
VmRSS: 744 kB
22+
VmData: 324 kB
23+
VmStk: 136 kB
24+
VmExe: 48 kB
25+
VmLib: 1776 kB
26+
VmPTE: 32 kB
27+
VmPMD: 12 kB
28+
VmSwap: 0 kB
29+
Threads: 1
30+
SigQ: 0/30067
31+
SigPnd: 0000000000000000
32+
ShdPnd: 0000000000000000
33+
SigBlk: 0000000000000000
34+
SigIgn: 0000000000000080
35+
SigCgt: 0000000000000000
36+
CapInh: 0000000000000000
37+
CapPrm: 0000000000000000
38+
CapEff: 0000000000000000
39+
CapBnd: 0000003fffffffff
40+
CapAmb: 0000000000000000
41+
Seccomp: 0
42+
Cpus_allowed: f
43+
Cpus_allowed_list: 0-3
44+
Mems_allowed: 00000000,00000001
45+
Mems_allowed_list: 0
46+
voluntary_ctxt_switches: 0
47+
nonvoluntary_ctxt_switches: 1

pkg/seccomp/seccomp_linux.go

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
/*
2+
Copyright The containerd Authors.
3+
4+
Licensed under the Apache License, Version 2.0 (the "License");
5+
you may not use this file except in compliance with the License.
6+
You may obtain a copy of the License at
7+
8+
http://www.apache.org/licenses/LICENSE-2.0
9+
10+
Unless required by applicable law or agreed to in writing, software
11+
distributed under the License is distributed on an "AS IS" BASIS,
12+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
See the License for the specific language governing permissions and
14+
limitations under the License.
15+
*/
16+
17+
/*
18+
Copyright The runc Authors.
19+
20+
Licensed under the Apache License, Version 2.0 (the "License");
21+
you may not use this file except in compliance with the License.
22+
You may obtain a copy of the License at
23+
24+
http://www.apache.org/licenses/LICENSE-2.0
25+
26+
Unless required by applicable law or agreed to in writing, software
27+
distributed under the License is distributed on an "AS IS" BASIS,
28+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
29+
See the License for the specific language governing permissions and
30+
limitations under the License.
31+
*/
32+
33+
package seccomp
34+
35+
import (
36+
"bufio"
37+
"os"
38+
"strings"
39+
40+
"golang.org/x/sys/unix"
41+
)
42+
43+
// IsEnabled returns if the kernel has been configured to support seccomp.
44+
// From https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L86-L102
45+
func IsEnabled() bool {
46+
// Try to read from /proc/self/status for kernels > 3.8
47+
s, err := parseStatusFile("/proc/self/status")
48+
if err != nil {
49+
// Check if Seccomp is supported, via CONFIG_SECCOMP.
50+
if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
51+
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
52+
if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
53+
return true
54+
}
55+
}
56+
return false
57+
}
58+
_, ok := s["Seccomp"]
59+
return ok
60+
}
61+
62+
// parseStatusFile is from https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L243-L268
63+
func parseStatusFile(path string) (map[string]string, error) {
64+
f, err := os.Open(path)
65+
if err != nil {
66+
return nil, err
67+
}
68+
defer f.Close()
69+
70+
s := bufio.NewScanner(f)
71+
status := make(map[string]string)
72+
73+
for s.Scan() {
74+
text := s.Text()
75+
parts := strings.Split(text, ":")
76+
77+
if len(parts) <= 1 {
78+
continue
79+
}
80+
81+
status[parts[0]] = parts[1]
82+
}
83+
if err := s.Err(); err != nil {
84+
return nil, err
85+
}
86+
87+
return status, nil
88+
}

pkg/seccomp/seccomp_linux_test.go

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
/*
2+
Copyright The containerd Authors.
3+
4+
Licensed under the Apache License, Version 2.0 (the "License");
5+
you may not use this file except in compliance with the License.
6+
You may obtain a copy of the License at
7+
8+
http://www.apache.org/licenses/LICENSE-2.0
9+
10+
Unless required by applicable law or agreed to in writing, software
11+
distributed under the License is distributed on an "AS IS" BASIS,
12+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
See the License for the specific language governing permissions and
14+
limitations under the License.
15+
*/
16+
17+
/*
18+
Copyright The runc Authors.
19+
20+
Licensed under the Apache License, Version 2.0 (the "License");
21+
you may not use this file except in compliance with the License.
22+
You may obtain a copy of the License at
23+
24+
http://www.apache.org/licenses/LICENSE-2.0
25+
26+
Unless required by applicable law or agreed to in writing, software
27+
distributed under the License is distributed on an "AS IS" BASIS,
28+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
29+
See the License for the specific language governing permissions and
30+
limitations under the License.
31+
*/
32+
33+
package seccomp
34+
35+
import "testing"
36+
37+
// TestParseStatusFile is from https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux_test.go
38+
func TestParseStatusFile(t *testing.T) {
39+
s, err := parseStatusFile("fixtures/proc_self_status")
40+
if err != nil {
41+
t.Fatal(err)
42+
}
43+
44+
if _, ok := s["Seccomp"]; !ok {
45+
46+
t.Fatal("expected to find 'Seccomp' in the map but did not.")
47+
}
48+
}

pkg/seccomp/seccomp_unsupported.go

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
// +build !linux
2+
3+
/*
4+
Copyright The containerd Authors.
5+
6+
Licensed under the Apache License, Version 2.0 (the "License");
7+
you may not use this file except in compliance with the License.
8+
You may obtain a copy of the License at
9+
10+
http://www.apache.org/licenses/LICENSE-2.0
11+
12+
Unless required by applicable law or agreed to in writing, software
13+
distributed under the License is distributed on an "AS IS" BASIS,
14+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15+
See the License for the specific language governing permissions and
16+
limitations under the License.
17+
*/
18+
19+
package seccomp
20+
21+
func IsEnabled() bool {
22+
return false
23+
}

pkg/server/image_pull.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -271,7 +271,7 @@ func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.C
271271
if len(cert.Certificate) != 0 {
272272
tlsConfig.Certificates = []tls.Certificate{cert}
273273
}
274-
tlsConfig.BuildNameToCertificate()
274+
tlsConfig.BuildNameToCertificate() // nolint:staticcheck
275275
}
276276

277277
if registryTLSConfig.CAFile != "" {

pkg/server/service.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,6 @@ import (
2727
"github.com/containerd/containerd/plugin"
2828
cni "github.com/containerd/go-cni"
2929
runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
30-
runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
3130
runcsystem "github.com/opencontainers/runc/libcontainer/system"
3231
"github.com/opencontainers/selinux/go-selinux"
3332
"github.com/pkg/errors"
@@ -41,6 +40,7 @@ import (
4140
ctrdutil "github.com/containerd/cri/pkg/containerd/util"
4241
osinterface "github.com/containerd/cri/pkg/os"
4342
"github.com/containerd/cri/pkg/registrar"
43+
"github.com/containerd/cri/pkg/seccomp"
4444
containerstore "github.com/containerd/cri/pkg/store/container"
4545
imagestore "github.com/containerd/cri/pkg/store/image"
4646
sandboxstore "github.com/containerd/cri/pkg/store/sandbox"
@@ -108,7 +108,7 @@ func NewCRIService(config criconfig.Config, client *containerd.Client) (CRIServi
108108
config: config,
109109
client: client,
110110
apparmorEnabled: runcapparmor.IsEnabled() && !config.DisableApparmor,
111-
seccompEnabled: runcseccomp.IsEnabled(),
111+
seccompEnabled: seccomp.IsEnabled(),
112112
os: osinterface.RealOS{},
113113
sandboxStore: sandboxstore.NewStore(),
114114
containerStore: containerstore.NewStore(),

vendor.conf

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,6 @@ golang.org/x/time 9d24e82272b4f38b78bc8cff74fa936d31ccd8ef
7070
golang.org/x/oauth2 0f29369cfe4552d0e4bcddc57cc75f4d7e672a33
7171
golang.org/x/crypto 60c769a6c58655dab1b9adac0d58967dd517cfba
7272
github.com/stretchr/testify v1.4.0
73-
github.com/seccomp/libseccomp-golang v0.9.1
7473
github.com/pmezard/go-difflib v1.0.0
7574
github.com/modern-go/reflect2 v1.0.1
7675
github.com/modern-go/concurrent 1.0.3

vendor/github.com/opencontainers/runc/libcontainer/seccomp/config.go

Lines changed: 0 additions & 77 deletions
This file was deleted.

0 commit comments

Comments
 (0)