containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

slirp: enable seccomp filter 

add a check for --enable-seccomp support in slirp4netns.  If it is
supported, always enable it.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano 2020-03-26 16:45:31 +01:00
parent 8cccac5497
commit f8ccd76858
No known key found for this signature in database
GPG Key ID: E4730F97F60286ED
1 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
libpod/networking_linux.go
View File

@ -154,13 +154,25 @@ func (r *Runtime) createNetNS(ctr *Container) (n ns.NetNS, q []*cnitypes.Result,
return ctrNS, networkStatus, err return ctrNS, networkStatus, err
} }
func checkSlirpFlags(path string) (bool, bool, bool, error) { type slirpFeatures struct {
HasDisableHostLoopback bool
HasMTU bool
HasEnableSandbox bool
HasEnableSeccomp bool
}
func checkSlirpFlags(path string) (*slirpFeatures, error) {
cmd := exec.Command(path, "--help") cmd := exec.Command(path, "--help")
out, err := cmd.CombinedOutput() out, err := cmd.CombinedOutput()
if err != nil { if err != nil {
return false, false, false, errors.Wrapf(err, "slirp4netns %q", out) return nil, errors.Wrapf(err, "slirp4netns %q", out)
} }
return strings.Contains(string(out), "--disable-host-loopback"), strings.Contains(string(out), "--mtu"), strings.Contains(string(out), "--enable-sandbox"), nil return &slirpFeatures{
HasDisableHostLoopback: strings.Contains(string(out), "--disable-host-loopback"),
HasMTU: strings.Contains(string(out), "--mtu"),
HasEnableSandbox: strings.Contains(string(out), "--enable-sandbox"),
HasEnableSeccomp: strings.Contains(string(out), "--enable-seccomp"),
}, nil
} }
// Configure the network namespace for a rootless container // Configure the network namespace for a rootless container
@ -187,19 +199,22 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) {
logPath := filepath.Join(ctr.runtime.config.TmpDir, fmt.Sprintf("slirp4netns-%s.log", ctr.config.ID)) logPath := filepath.Join(ctr.runtime.config.TmpDir, fmt.Sprintf("slirp4netns-%s.log", ctr.config.ID))
cmdArgs := []string{} cmdArgs := []string{}
dhp, mtu, sandbox, err := checkSlirpFlags(path) slirpFeatures, err := checkSlirpFlags(path)
if err != nil { if err != nil {
return errors.Wrapf(err, "error checking slirp4netns binary %s: %q", path, err) return errors.Wrapf(err, "error checking slirp4netns binary %s: %q", path, err)
} }
if dhp { if slirpFeatures.HasDisableHostLoopback {
cmdArgs = append(cmdArgs, "--disable-host-loopback") cmdArgs = append(cmdArgs, "--disable-host-loopback")
} }
if mtu { if slirpFeatures.HasMTU {
cmdArgs = append(cmdArgs, "--mtu", "65520") cmdArgs = append(cmdArgs, "--mtu", "65520")
} }
if sandbox { if slirpFeatures.HasEnableSandbox {
cmdArgs = append(cmdArgs, "--enable-sandbox") cmdArgs = append(cmdArgs, "--enable-sandbox")
} }
if slirpFeatures.HasEnableSeccomp {
cmdArgs = append(cmdArgs, "--enable-seccomp")
}
// the slirp4netns arguments being passed are describes as follows: // the slirp4netns arguments being passed are describes as follows:
// from the slirp4netns documentation: https://github.com/rootless-containers/slirp4netns // from the slirp4netns documentation: https://github.com/rootless-containers/slirp4netns
@ -230,7 +245,7 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) {
} }
// workaround for https://github.com/rootless-containers/slirp4netns/pull/153 // workaround for https://github.com/rootless-containers/slirp4netns/pull/153
if sandbox { if slirpFeatures.HasEnableSandbox {
cmd.SysProcAttr.Cloneflags = syscall.CLONE_NEWNS cmd.SysProcAttr.Cloneflags = syscall.CLONE_NEWNS
cmd.SysProcAttr.Unshareflags = syscall.CLONE_NEWNS cmd.SysProcAttr.Unshareflags = syscall.CLONE_NEWNS
} }