[server] Add --seccomp-enable flag and related logic (does not work for the moment).

This commit is contained in:
Ciprian Dorin Craciun 2022-09-11 13:21:00 +03:00
parent 1b76778d60
commit c2189cc03f
3 changed files with 29 additions and 1 deletions

View file

@ -1,5 +1,11 @@
package server
import _ "github.com/volution/kawipiko/lib/seccomp"
import "github.com/volution/kawipiko/lib/seccomp"
var seccompSupported = seccomp.Supported

View file

@ -826,6 +826,7 @@ func main_0 () (error) {
var _profileCpu string
var _profileMem string
var _limitMemory uint
var _seccompEnabled bool
var _isFirst bool
var _isMaster bool
@ -876,6 +877,7 @@ func main_0 () (error) {
_profileCpu_0 := _flags.String ("profile-cpu", "", "")
_profileMem_0 := _flags.String ("profile-mem", "", "")
_limitMemory_0 := _flags.Uint ("limit-memory", 0, "")
_seccompEnabled_0 := _flags.Bool ("seccomp-enable", false, "")
FlagsParse (_flags, 0, 0)
@ -912,6 +914,7 @@ func main_0 () (error) {
_profileCpu = *_profileCpu_0
_profileMem = *_profileMem_0
_limitMemory = *_limitMemory_0
_seccompEnabled = *_seccompEnabled_0
if _slave == 0 {
_isMaster = true
@ -1026,6 +1029,16 @@ func main_0 () (error) {
AbortError (nil, "[2781f54c] maximum memory limit is between 128 and 16384 MiB!")
}
if _seccompEnabled && !seccompSupported {
AbortError (nil, "[d4d22d4e] Linux seccomp is not supported with this build!")
}
if _seccompEnabled && (_processes > 1) {
AbortError (nil, "[69c06e0c] Linux seccomp is not supported with multiple processes!")
}
if _seccompEnabled && ((_profilingCpu != "") || (_profilingMem != "")) {
AbortError (nil, "[1fb06ca1] Linux seccomp is not supported with profiling!")
}
if (_processes > 1) && ((_profileCpu != "") || (_profileMem != "")) {
AbortError (nil, "[cd18d250] multi-process and profiling are mutually exclusive!")
}
@ -1153,6 +1166,9 @@ func main_0 () (error) {
if _limitMemory != 0 {
_processArguments = append (_processArguments, "--limit-memory", fmt.Sprintf ("%d", _limitMemory))
}
if _seccompEnabled {
_processArguments = append (_processArguments, "--seccomp-enable")
}
if _quiet {
_processArguments = append (_processArguments, "--quiet")
}

View file

@ -1,3 +1,9 @@
package seccomp
var Supported = false