diff --git a/Makefile b/Makefile index 520a8f6..609dbc1 100644 --- a/Makefile +++ b/Makefile @@ -46,7 +46,7 @@ else ifeq ($(shell $(PKG_CONFIG) --exists libsystemd && echo "0" || echo "1"), 0 override CFLAGS += $(shell $(PKG_CONFIG) --cflags libsystemd) -D USE_JOURNALD=0 endif -ifeq ($(shell $(PKG_CONFIG) --exists libseccomp && echo "0" || echo "1"), 0) +ifeq ($(shell $(PKG_CONFIG) --atleast-version 2.5.0 libseccomp && echo "0" || echo "1"), 0) override LIBS += $(shell $(PKG_CONFIG) --libs libseccomp) -ldl override CFLAGS += $(shell $(PKG_CONFIG) --cflags libseccomp) -D USE_SECCOMP=1 else diff --git a/src/conmon.c b/src/conmon.c index 93d3f5e..795701c 100644 --- a/src/conmon.c +++ b/src/conmon.c @@ -180,10 +180,11 @@ int main(int argc, char *argv[]) if (opt_seccomp_notify_socket != NULL) { #if !USE_SECCOMP pexit("seccomp support not present"); -#endif +#else if (opt_seccomp_notify_plugins == NULL) pexit("seccomp notify socket specified without any plugin"); seccomp_listener = setup_seccomp_socket(opt_seccomp_notify_socket); +#endif } /* We always create a stderr pipe, because that way we can capture diff --git a/src/seccomp_notify.c b/src/seccomp_notify.c index 4037f27..58f4a16 100644 --- a/src/seccomp_notify.c +++ b/src/seccomp_notify.c @@ -21,6 +21,8 @@ #include "cmsg.h" #include "seccomp_notify.h" +#if USE_SECCOMP + #ifndef SECCOMP_USER_NOTIF_FLAG_CONTINUE #define SECCOMP_USER_NOTIF_FLAG_CONTINUE (1UL << 0) #endif @@ -37,19 +39,15 @@ struct seccomp_notify_context_s { struct plugin *plugins; size_t n_plugins; -#if USE_SECCOMP struct seccomp_notif_resp *sresp; struct seccomp_notif *sreq; struct seccomp_notif_sizes sizes; -#endif }; static inline void *xmalloc0(size_t size); static void cleanup_seccomp_plugins(); -#if USE_SECCOMP static int seccomp_syscall(unsigned int op, unsigned int flags, void *args); -#endif gboolean seccomp_cb(int fd, GIOCondition condition, G_GNUC_UNUSED gpointer user_data) { @@ -100,7 +98,6 @@ gboolean seccomp_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_ return G_SOURCE_CONTINUE; } -#if USE_SECCOMP int seccomp_notify_plugins_load(struct seccomp_notify_context_s **out, const char *plugins, struct seccomp_notify_conf_s *conf) { cleanup_seccomp_notify_context struct seccomp_notify_context_s *ctx = xmalloc0(sizeof *ctx); @@ -273,27 +270,6 @@ int seccomp_notify_plugins_free(struct seccomp_notify_context_s *ctx) return 0; } -#else -int seccomp_notify_plugins_load(G_GNUC_UNUSED struct seccomp_notify_context_s **out, G_GNUC_UNUSED const char *plugins, - G_GNUC_UNUSED struct seccomp_notify_conf_s *conf) -{ - pexit("seccomp support not available"); - return -1; -} - -int seccomp_notify_plugins_event(G_GNUC_UNUSED struct seccomp_notify_context_s *ctx, G_GNUC_UNUSED int seccomp_fd) -{ - pexit("seccomp support not available"); - return -1; -} - -int seccomp_notify_plugins_free(G_GNUC_UNUSED struct seccomp_notify_context_s *ctx) -{ - pexit("seccomp support not available"); - return -1; -} -#endif - static void cleanup_seccomp_plugins() { if (seccomp_notify_ctx) { @@ -319,10 +295,15 @@ static inline void *xmalloc0(size_t size) return res; } -#if USE_SECCOMP static int seccomp_syscall(unsigned int op, unsigned int flags, void *args) { errno = 0; return syscall(__NR_seccomp, op, flags, args); } +#else +gboolean seccomp_accept_cb(G_GNUC_UNUSED int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data) +{ + pexit("seccomp support not available"); + return G_SOURCE_REMOVE; +} #endif diff --git a/src/seccomp_notify.h b/src/seccomp_notify.h index 22cf824..9dda848 100644 --- a/src/seccomp_notify.h +++ b/src/seccomp_notify.h @@ -3,10 +3,11 @@ #include "seccomp_notify_plugin.h" +#if USE_SECCOMP + struct seccomp_notify_context_s; gboolean seccomp_cb(int fd, GIOCondition condition, G_GNUC_UNUSED gpointer user_data); -gboolean seccomp_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data); int seccomp_notify_plugins_load(struct seccomp_notify_context_s **out, const char *plugins, struct seccomp_notify_conf_s *conf); int seccomp_notify_plugins_event(struct seccomp_notify_context_s *ctx, int seccomp_fd); @@ -15,4 +16,6 @@ int seccomp_notify_plugins_free(struct seccomp_notify_context_s *ctx); #define cleanup_seccomp_notify_context __attribute__((cleanup(cleanup_seccomp_notify_pluginsp))) void cleanup_seccomp_notify_pluginsp(void *p); -#endif +#endif // USE_SECCOMP +gboolean seccomp_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data); +#endif // SECCOMP_NOTIFY_H diff --git a/src/seccomp_notify_plugin.h b/src/seccomp_notify_plugin.h index a35c366..562957f 100644 --- a/src/seccomp_notify_plugin.h +++ b/src/seccomp_notify_plugin.h @@ -1,7 +1,9 @@ -#ifndef SECCOMP_NOTIFY_PLUGINPLUGIN_H +#ifndef SECCOMP_NOTIFY_PLUGIN_H #include +#if USE_SECCOMP + struct seccomp_notify_conf_s { const char *runtime_root_path; const char *name; @@ -37,4 +39,5 @@ typedef int (*run_oci_seccomp_notify_stop_cb)(void *opaque); /* Retrieve the API version used by the plugin. It MUST return 1. */ typedef int (*run_oci_seccomp_notify_plugin_version_cb)(); -#endif +#endif // USE_SECCOMP +#endif // SECCOMP_NOTIFY_PLUGIN_H