Gitiles - git.j3ss.co
git.j3ss.co / genuinetools / amicontained / 9bcca8029a002a3579701f21b1d9904902a34abc^! / .
commit9bcca8029a002a3579701f21b1d9904902a34abc[log] [tgz]
authorGrant Seltzer <grant@capsule8.com>Fri Aug 18 12:26:41 2017 -0400
committerJess Frazelle <jessfraz@users.noreply.github.com>Fri Aug 18 12:26:41 2017 -0400
tree83a45327f4d884a6beb231cc3fc099d0fdf32c69
parent6a2555209f420768efddb5a7f84a58c947dce596 [diff]
Add check for seccomp enforcing mode (#9)

* add check for seccomp enforcing mode

Signed-off-by: grant <grant@capsule8.com>

* refector to use existing readFile function

Signed-off-by: grant <grant@capsule8.com>

* fix lint issue

Signed-off-by: grant <grant@capsule8.com>

diff --git a/container/container.go b/container/container.go
index 48fff22..2625d22 100644
--- a/container/container.go
+++ b/container/container.go

@@ -10,6 +10,7 @@
 	"syscall"
 
 	"github.com/syndtr/gocapability/capability"
+	"golang.org/x/sys/unix"
 )
 
 const (
@@ -204,6 +205,49 @@
 	return a.Ino == b.Ino && a.Dev == b.Dev, nil
 }
 
+// SeccompEnforcingMode returns the seccomp enforcing level (disabled, filtering, strict)
+func SeccompEnforcingMode() (string, error) {
+
+	// Read from /proc/self/status Linux 3.8+
+	s := readFile("/proc/self/status")
+
+	// Pre linux 3.8
+	if !strings.Contains(s, "Seccomp") {
+		// Check if Seccomp is supported, via CONFIG_SECCOMP.
+		if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
+			// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+			if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
+				return "strict", nil
+			}
+		}
+		return "disabled", nil
+	}
+
+	// Split status file string by line
+	statusMappings := strings.Split(s, "\n")
+	statusMappings = deleteEmpty(statusMappings)
+
+	mode := "-1"
+	for _, line := range statusMappings {
+		if strings.Contains(line, "Seccomp:") {
+			mode = string(line[len(line)-1])
+		}
+	}
+
+	seccompModes := map[string]string{
+		"0": "disabled",
+		"1": "strict",
+		"2": "filtering",
+	}
+
+	seccompMode, ok := seccompModes[mode]
+	if !ok {
+		return "", errors.New("could not retrieve seccomp filtering status")
+	}
+
+	return seccompMode, nil
+}
+
 func fileExists(file string) bool {
 	if _, err := os.Stat(file); !os.IsNotExist(err) {
 		return true

diff --git a/main.go b/main.go
index 0589088..bfdb14b 100644
--- a/main.go
+++ b/main.go

@@ -117,6 +117,13 @@
 		logrus.Debugf("chroot check error: %v", err)
 	}
 	fmt.Printf("Chroot/PivotRoot: %t\n", chroot)
+
+	// Seccomp
+	seccompMode, err := container.SeccompEnforcingMode()
+	if err != nil {
+		logrus.Debugf("error: %v", err)
+	}
+	fmt.Printf("Seccomp: %s\n", seccompMode)
 }
 
 func usageAndExit(message string, exitCode int) {