containerd

github/containerd

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kir Kolyshkin	00b5c99b1a	pkg/seccomp: simplify IsEnabled, update doc Current implementation of seccomp.IsEnabled (rooted in runc) is not too good. First, it parses the whole /proc/self/status, adding each key: value pair into the map (lots of allocations and future work for garbage collector), when using a single key from that map. Second, the presence of "Seccomp" key in /proc/self/status merely means that kernel option CONFIG_SECCOMP is set, but there is a need to _also_ check for CONFIG_SECCOMP_FILTER (the code for which exists but never executed in case /proc/self/status has Seccomp key). Replace all this with a single call to prctl; see the long comment in the code for details. While at it, improve the IsEnabled documentation. NOTE historically, parsing /proc/self/status was added after a concern was raised in https://github.com/opencontainers/runc/pull/471 that prctl(PR_GET_SECCOMP, ...) can result in the calling process being killed with SIGKILL. This is a valid concern, so the new code here does not use PR_GET_SECCOMP at all. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>	2021-04-16 15:52:35 -07:00
Derek McGowan	8cf669ce34	Fix unsupported files exporting functions for apparmor and seccomp Signed-off-by: Derek McGowan <derek@mcg.dev>	2021-03-12 08:47:05 -08:00
Akihiro Suda	7332e2ad2e	remove libseccomp cgo dependency The CRI plugin was depending on libseccomp cgo dependency via libseccomp-golang via libcontainer. https://github.com/seccomp/libseccomp-golang/blob/v0.9.1/seccomp_internal.go#L17 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2020-07-30 18:51:23 +09:00

Author

SHA1

Message

Date

Kir Kolyshkin

00b5c99b1a

pkg/seccomp: simplify IsEnabled, update doc

Current implementation of seccomp.IsEnabled (rooted in runc) is not
too good.

First, it parses the whole /proc/self/status, adding each key: value
pair into the map (lots of allocations and future work for garbage
collector), when using a single key from that map.

Second, the presence of "Seccomp" key in /proc/self/status merely means
that kernel option CONFIG_SECCOMP is set, but there is a need to _also_
check for CONFIG_SECCOMP_FILTER (the code for which exists but never
executed in case /proc/self/status has Seccomp key).

Replace all this with a single call to prctl; see the long comment in
the code for details.

While at it, improve the IsEnabled documentation.

NOTE historically, parsing /proc/self/status was added after a concern
was raised in https://github.com/opencontainers/runc/pull/471 that
prctl(PR_GET_SECCOMP, ...) can result in the calling process being
killed with SIGKILL. This is a valid concern, so the new code here
does not use PR_GET_SECCOMP at all.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

2021-04-16 15:52:35 -07:00

Derek McGowan

8cf669ce34

Fix unsupported files exporting functions for apparmor and seccomp

Signed-off-by: Derek McGowan <derek@mcg.dev>

2021-03-12 08:47:05 -08:00

Akihiro Suda

7332e2ad2e

remove libseccomp cgo dependency

The CRI plugin was depending on libseccomp cgo dependency via
libseccomp-golang via libcontainer.

https://github.com/seccomp/libseccomp-golang/blob/v0.9.1/seccomp_internal.go#L17

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

2020-07-30 18:51:23 +09:00

3 Commits