mirror of https://github.com/containers/conmon.git
seccomp: fix for unsupported versions
if seccomp version is lower than 2.5.0, then we should not compile any seccomp related things and fail if users attempt to specify them Signed-off-by: Peter Hunt <pehunt@redhat.com>
This commit is contained in:
Peter Hunt
parent
75e067ed42
commit
24c73c2abb
2
Makefile
2
Makefile
|
|
@ -46,7 +46,7 @@ else ifeq ($(shell $(PKG_CONFIG) --exists libsystemd && echo "0" || echo "1"), 0
|
|||
override CFLAGS += $(shell $(PKG_CONFIG) --cflags libsystemd) -D USE_JOURNALD=0
|
||||
endif
|
||||
|
||||
ifeq ($(shell $(PKG_CONFIG) --exists libseccomp && echo "0" || echo "1"), 0)
|
||||
ifeq ($(shell $(PKG_CONFIG) --atleast-version 2.5.0 libseccomp && echo "0" || echo "1"), 0)
|
||||
override LIBS += $(shell $(PKG_CONFIG) --libs libseccomp) -ldl
|
||||
override CFLAGS += $(shell $(PKG_CONFIG) --cflags libseccomp) -D USE_SECCOMP=1
|
||||
else
|
||||
|
|
|
|||
|
|
@ -180,10 +180,11 @@ int main(int argc, char *argv[])
|
|||
if (opt_seccomp_notify_socket != NULL) {
|
||||
#if !USE_SECCOMP
|
||||
pexit("seccomp support not present");
|
||||
#endif
|
||||
#else
|
||||
if (opt_seccomp_notify_plugins == NULL)
|
||||
pexit("seccomp notify socket specified without any plugin");
|
||||
seccomp_listener = setup_seccomp_socket(opt_seccomp_notify_socket);
|
||||
#endif
|
||||
}
|
||||
|
||||
/* We always create a stderr pipe, because that way we can capture
|
||||
|
|
|
|||
|
|
@ -21,6 +21,8 @@
|
|||
#include "cmsg.h"
|
||||
#include "seccomp_notify.h"
|
||||
|
||||
#if USE_SECCOMP
|
||||
|
||||
#ifndef SECCOMP_USER_NOTIF_FLAG_CONTINUE
|
||||
#define SECCOMP_USER_NOTIF_FLAG_CONTINUE (1UL << 0)
|
||||
#endif
|
||||
|
|
@ -37,19 +39,15 @@ struct seccomp_notify_context_s {
|
|||
struct plugin *plugins;
|
||||
size_t n_plugins;
|
||||
|
||||
#if USE_SECCOMP
|
||||
struct seccomp_notif_resp *sresp;
|
||||
struct seccomp_notif *sreq;
|
||||
struct seccomp_notif_sizes sizes;
|
||||
#endif
|
||||
};
|
||||
|
||||
static inline void *xmalloc0(size_t size);
|
||||
static void cleanup_seccomp_plugins();
|
||||
|
||||
#if USE_SECCOMP
|
||||
static int seccomp_syscall(unsigned int op, unsigned int flags, void *args);
|
||||
#endif
|
||||
|
||||
gboolean seccomp_cb(int fd, GIOCondition condition, G_GNUC_UNUSED gpointer user_data)
|
||||
{
|
||||
|
|
@ -100,7 +98,6 @@ gboolean seccomp_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_
|
|||
return G_SOURCE_CONTINUE;
|
||||
}
|
||||
|
||||
#if USE_SECCOMP
|
||||
int seccomp_notify_plugins_load(struct seccomp_notify_context_s **out, const char *plugins, struct seccomp_notify_conf_s *conf)
|
||||
{
|
||||
cleanup_seccomp_notify_context struct seccomp_notify_context_s *ctx = xmalloc0(sizeof *ctx);
|
||||
|
|
@ -273,27 +270,6 @@ int seccomp_notify_plugins_free(struct seccomp_notify_context_s *ctx)
|
|||
return 0;
|
||||
}
|
||||
|
||||
#else
|
||||
int seccomp_notify_plugins_load(G_GNUC_UNUSED struct seccomp_notify_context_s **out, G_GNUC_UNUSED const char *plugins,
|
||||
G_GNUC_UNUSED struct seccomp_notify_conf_s *conf)
|
||||
{
|
||||
pexit("seccomp support not available");
|
||||
return -1;
|
||||
}
|
||||
|
||||
int seccomp_notify_plugins_event(G_GNUC_UNUSED struct seccomp_notify_context_s *ctx, G_GNUC_UNUSED int seccomp_fd)
|
||||
{
|
||||
pexit("seccomp support not available");
|
||||
return -1;
|
||||
}
|
||||
|
||||
int seccomp_notify_plugins_free(G_GNUC_UNUSED struct seccomp_notify_context_s *ctx)
|
||||
{
|
||||
pexit("seccomp support not available");
|
||||
return -1;
|
||||
}
|
||||
#endif
|
||||
|
||||
static void cleanup_seccomp_plugins()
|
||||
{
|
||||
if (seccomp_notify_ctx) {
|
||||
|
|
@ -319,10 +295,15 @@ static inline void *xmalloc0(size_t size)
|
|||
return res;
|
||||
}
|
||||
|
||||
#if USE_SECCOMP
|
||||
static int seccomp_syscall(unsigned int op, unsigned int flags, void *args)
|
||||
{
|
||||
errno = 0;
|
||||
return syscall(__NR_seccomp, op, flags, args);
|
||||
}
|
||||
#else
|
||||
gboolean seccomp_accept_cb(G_GNUC_UNUSED int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data)
|
||||
{
|
||||
pexit("seccomp support not available");
|
||||
return G_SOURCE_REMOVE;
|
||||
}
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -3,10 +3,11 @@
|
|||
|
||||
#include "seccomp_notify_plugin.h"
|
||||
|
||||
#if USE_SECCOMP
|
||||
|
||||
struct seccomp_notify_context_s;
|
||||
|
||||
gboolean seccomp_cb(int fd, GIOCondition condition, G_GNUC_UNUSED gpointer user_data);
|
||||
gboolean seccomp_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data);
|
||||
|
||||
int seccomp_notify_plugins_load(struct seccomp_notify_context_s **out, const char *plugins, struct seccomp_notify_conf_s *conf);
|
||||
int seccomp_notify_plugins_event(struct seccomp_notify_context_s *ctx, int seccomp_fd);
|
||||
|
|
@ -15,4 +16,6 @@ int seccomp_notify_plugins_free(struct seccomp_notify_context_s *ctx);
|
|||
#define cleanup_seccomp_notify_context __attribute__((cleanup(cleanup_seccomp_notify_pluginsp)))
|
||||
void cleanup_seccomp_notify_pluginsp(void *p);
|
||||
|
||||
#endif
|
||||
#endif // USE_SECCOMP
|
||||
gboolean seccomp_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data);
|
||||
#endif // SECCOMP_NOTIFY_H
|
||||
|
|
|
|||
|
|
@ -1,7 +1,9 @@
|
|||
#ifndef SECCOMP_NOTIFY_PLUGINPLUGIN_H
|
||||
#ifndef SECCOMP_NOTIFY_PLUGIN_H
|
||||
|
||||
#include <linux/seccomp.h>
|
||||
|
||||
#if USE_SECCOMP
|
||||
|
||||
struct seccomp_notify_conf_s {
|
||||
const char *runtime_root_path;
|
||||
const char *name;
|
||||
|
|
@ -37,4 +39,5 @@ typedef int (*run_oci_seccomp_notify_stop_cb)(void *opaque);
|
|||
/* Retrieve the API version used by the plugin. It MUST return 1. */
|
||||
typedef int (*run_oci_seccomp_notify_plugin_version_cb)();
|
||||
|
||||
#endif
|
||||
#endif // USE_SECCOMP
|
||||
#endif // SECCOMP_NOTIFY_PLUGIN_H
|
||||
|
|
|
|||
Loading…
Reference in New Issue