pkg/seccomp: simplify IsEnabled, update doc

Current implementation of seccomp.IsEnabled (rooted in runc) is not too good. First, it parses the whole /proc/self/status, adding each key: value pair into the map (lots of allocations and future work for garbage collector), when using a single key from that map. Second, the presence of "Seccomp" key in /proc/self/status merely means that kernel option CONFIG_SECCOMP is set, but there is a need to _also_ check for CONFIG_SECCOMP_FILTER (the code for which exists but never executed in case /proc/self/status has Seccomp key). Replace all this with a single call to prctl; see the long comment in the code for details. While at it, improve the IsEnabled documentation. NOTE historically, parsing /proc/self/status was added after a concern was raised in https://github.com/opencontainers/runc/pull/471 that prctl(PR_GET_SECCOMP, ...) can result in the calling process being killed with SIGKILL. This is a valid concern, so the new code here does not use PR_GET_SECCOMP at all. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-23 17:57:22 -07:00
parent 9efd3e2384
commit 00b5c99b1a
4 changed files with 33 additions and 147 deletions
--- a/pkg/seccomp/seccomp.go
+++ b/pkg/seccomp/seccomp.go
@@ -16,10 +16,10 @@

 package seccomp

-// IsEnabled returns whether seccomp support is enabled
-// On Linux returns if the kernel has been configured to support seccomp.
-//  From https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L86-L102
-// On non-Linux returns false
+// IsEnabled checks whether seccomp support is enabled. On Linux, it returns
+// true if the kernel has been configured to support seccomp (kernel options
+// CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are set). On non-Linux, it always
+// returns false.
 func IsEnabled() bool {
 	return isEnabled()
 }