github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Fix unsupported files exporting functions for apparmor and seccomp

Browse Source 
Signed-off-by: Derek McGowan <derek@mcg.dev>
This commit is contained in:
Derek McGowan
2021-03-12 08:35:29 -08:00
parent 35eeb24a17
commit 8cf669ce34
6 changed files with 83 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
pkg/apparmor/apparmor.go
View File

@@ -1,5 +1,3 @@
// +build linux
/* /*
Copyright The containerd Authors. Copyright The containerd Authors.
@@ -18,31 +16,12 @@
package apparmor package apparmor
import ( // HostSupports returns true if apparmor is enabled for the host, // On non-Linux returns false
"io/ioutil" // On Linux returns true if apparmor_parser is enabled, and if we
"os" // are not running docker-in-docker.
"sync"
)
var (
appArmorSupported bool
checkAppArmor sync.Once
)
// HostSupports returns true if apparmor is enabled for the host, if
// apparmor_parser is enabled, and if we are not running docker-in-docker.
// //
// It is a modified version of libcontainer/apparmor.IsEnabled(), which does not // It is a modified version of libcontainer/apparmor.IsEnabled(), which does not
// check for apparmor_parser to be present, or if we're running docker-in-docker. // check for apparmor_parser to be present, or if we're running docker-in-docker.
func HostSupports() bool { func HostSupports() bool {
checkAppArmor.Do(func() { return hostSupports()
// see https://github.com/docker/docker/commit/de191e86321f7d3136ff42ff75826b8107399497
if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y'
}
}
})
return appArmorSupported
} }

48
pkg/apparmor/apparmor_linux.go Normal file
View File

@@ -0,0 +1,48 @@
// +build linux
/*
Copyright The containerd Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package apparmor
import (
"io/ioutil"
"os"
"sync"
)
var (
appArmorSupported bool
checkAppArmor sync.Once
)
// hostSupports returns true if apparmor is enabled for the host, if
// apparmor_parser is enabled, and if we are not running docker-in-docker.
//
// It is a modified version of libcontainer/apparmor.IsEnabled(), which does not
// check for apparmor_parser to be present, or if we're running docker-in-docker.
func hostSupports() bool {
checkAppArmor.Do(func() {
// see https://github.com/docker/docker/commit/de191e86321f7d3136ff42ff75826b8107399497
if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y'
}
}
})
return appArmorSupported
}

3
pkg/apparmor/apparmor_unsupported.go
View File

@@ -18,7 +18,6 @@
package apparmor package apparmor
//nolint: deadcode, unused func hostSupports() bool {
func HostSupports() bool {
return false return false
} }

25
pkg/seccomp/seccomp.go Normal file
View File

@@ -0,0 +1,25 @@
/*
Copyright The containerd Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package seccomp
// IsEnabled returns whether seccomp support is enabled
// On Linux returns if the kernel has been configured to support seccomp.
// From https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L86-L102
// On non-Linux returns false
func IsEnabled() bool {
return isEnabled()
}

4
pkg/seccomp/seccomp_linux.go
View File

@@ -40,9 +40,9 @@ import (
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
) )
// IsEnabled returns if the kernel has been configured to support seccomp. // isEnabled returns if the kernel has been configured to support seccomp.
// From https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L86-L102 // From https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L86-L102
func IsEnabled() bool { func isEnabled() bool {
// Try to read from /proc/self/status for kernels > 3.8 // Try to read from /proc/self/status for kernels > 3.8
s, err := parseStatusFile("/proc/self/status") s, err := parseStatusFile("/proc/self/status")
if err != nil { if err != nil {

2
pkg/seccomp/seccomp_unsupported.go
View File

@@ -18,6 +18,6 @@
package seccomp package seccomp
func IsEnabled() bool { func isEnabled() bool {
return false return false
} }