diff --git a/pkg/apparmor/apparmor.go b/pkg/apparmor/apparmor.go index 20354f7de..dd4d860c0 100644 --- a/pkg/apparmor/apparmor.go +++ b/pkg/apparmor/apparmor.go @@ -1,5 +1,3 @@ -// +build linux - /* Copyright The containerd Authors. @@ -18,31 +16,12 @@ package apparmor -import ( - "io/ioutil" - "os" - "sync" -) - -var ( - appArmorSupported bool - checkAppArmor sync.Once -) - -// HostSupports returns true if apparmor is enabled for the host, if -// apparmor_parser is enabled, and if we are not running docker-in-docker. +// HostSupports returns true if apparmor is enabled for the host, // On non-Linux returns false +// On Linux returns true if apparmor_parser is enabled, and if we +// are not running docker-in-docker. // -// It is a modified version of libcontainer/apparmor.IsEnabled(), which does not -// check for apparmor_parser to be present, or if we're running docker-in-docker. +// It is a modified version of libcontainer/apparmor.IsEnabled(), which does not +// check for apparmor_parser to be present, or if we're running docker-in-docker. func HostSupports() bool { - checkAppArmor.Do(func() { - // see https://github.com/docker/docker/commit/de191e86321f7d3136ff42ff75826b8107399497 - if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" { - if _, err = os.Stat("/sbin/apparmor_parser"); err == nil { - buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled") - appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y' - } - } - }) - return appArmorSupported + return hostSupports() } diff --git a/pkg/apparmor/apparmor_linux.go b/pkg/apparmor/apparmor_linux.go new file mode 100644 index 000000000..ee3858583 --- /dev/null +++ b/pkg/apparmor/apparmor_linux.go @@ -0,0 +1,48 @@ +// +build linux + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package apparmor + +import ( + "io/ioutil" + "os" + "sync" +) + +var ( + appArmorSupported bool + checkAppArmor sync.Once +) + +// hostSupports returns true if apparmor is enabled for the host, if +// apparmor_parser is enabled, and if we are not running docker-in-docker. +// +// It is a modified version of libcontainer/apparmor.IsEnabled(), which does not +// check for apparmor_parser to be present, or if we're running docker-in-docker. +func hostSupports() bool { + checkAppArmor.Do(func() { + // see https://github.com/docker/docker/commit/de191e86321f7d3136ff42ff75826b8107399497 + if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" { + if _, err = os.Stat("/sbin/apparmor_parser"); err == nil { + buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled") + appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y' + } + } + }) + return appArmorSupported +} diff --git a/pkg/apparmor/apparmor_unsupported.go b/pkg/apparmor/apparmor_unsupported.go index 9b98f2578..428d36424 100644 --- a/pkg/apparmor/apparmor_unsupported.go +++ b/pkg/apparmor/apparmor_unsupported.go @@ -18,7 +18,6 @@ package apparmor -//nolint: deadcode, unused -func HostSupports() bool { +func hostSupports() bool { return false } diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go new file mode 100644 index 000000000..a0ad7d0e8 --- /dev/null +++ b/pkg/seccomp/seccomp.go @@ -0,0 +1,25 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package seccomp + +// IsEnabled returns whether seccomp support is enabled +// On Linux returns if the kernel has been configured to support seccomp. +// From https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L86-L102 +// On non-Linux returns false +func IsEnabled() bool { + return isEnabled() +} diff --git a/pkg/seccomp/seccomp_linux.go b/pkg/seccomp/seccomp_linux.go index d41a98bf1..9bda3b2d7 100644 --- a/pkg/seccomp/seccomp_linux.go +++ b/pkg/seccomp/seccomp_linux.go @@ -40,9 +40,9 @@ import ( "golang.org/x/sys/unix" ) -// IsEnabled returns if the kernel has been configured to support seccomp. +// isEnabled returns if the kernel has been configured to support seccomp. // From https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L86-L102 -func IsEnabled() bool { +func isEnabled() bool { // Try to read from /proc/self/status for kernels > 3.8 s, err := parseStatusFile("/proc/self/status") if err != nil { diff --git a/pkg/seccomp/seccomp_unsupported.go b/pkg/seccomp/seccomp_unsupported.go index 3f7562605..87b133426 100644 --- a/pkg/seccomp/seccomp_unsupported.go +++ b/pkg/seccomp/seccomp_unsupported.go @@ -18,6 +18,6 @@ package seccomp -func IsEnabled() bool { +func isEnabled() bool { return false }