From c2189cc03f6c893bef50bfc6d20804f9cd1e3c58 Mon Sep 17 00:00:00 2001 From: Ciprian Dorin Craciun Date: Sun, 11 Sep 2022 13:21:00 +0300 Subject: [PATCH] [server] Add `--seccomp-enable` flag and related logic (does not work for the moment). --- sources/cmd/server/seccomp.go | 8 +++++++- sources/cmd/server/server.go | 16 ++++++++++++++++ sources/lib/seccomp/dummy.go | 6 ++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/sources/cmd/server/seccomp.go b/sources/cmd/server/seccomp.go index b5503ad..3473b04 100644 --- a/sources/cmd/server/seccomp.go +++ b/sources/cmd/server/seccomp.go @@ -1,5 +1,11 @@ package server -import _ "github.com/volution/kawipiko/lib/seccomp" + +import "github.com/volution/kawipiko/lib/seccomp" + + + + +var seccompSupported = seccomp.Supported diff --git a/sources/cmd/server/server.go b/sources/cmd/server/server.go index fc9fc9b..e9bc913 100644 --- a/sources/cmd/server/server.go +++ b/sources/cmd/server/server.go @@ -826,6 +826,7 @@ func main_0 () (error) { var _profileCpu string var _profileMem string var _limitMemory uint + var _seccompEnabled bool var _isFirst bool var _isMaster bool @@ -876,6 +877,7 @@ func main_0 () (error) { _profileCpu_0 := _flags.String ("profile-cpu", "", "") _profileMem_0 := _flags.String ("profile-mem", "", "") _limitMemory_0 := _flags.Uint ("limit-memory", 0, "") + _seccompEnabled_0 := _flags.Bool ("seccomp-enable", false, "") FlagsParse (_flags, 0, 0) @@ -912,6 +914,7 @@ func main_0 () (error) { _profileCpu = *_profileCpu_0 _profileMem = *_profileMem_0 _limitMemory = *_limitMemory_0 + _seccompEnabled = *_seccompEnabled_0 if _slave == 0 { _isMaster = true @@ -1026,6 +1029,16 @@ func main_0 () (error) { AbortError (nil, "[2781f54c] maximum memory limit is between 128 and 16384 MiB!") } + if _seccompEnabled && !seccompSupported { + AbortError (nil, "[d4d22d4e] Linux seccomp is not supported with this build!") + } + if _seccompEnabled && (_processes > 1) { + AbortError (nil, "[69c06e0c] Linux seccomp is not supported with multiple processes!") + } + if _seccompEnabled && ((_profilingCpu != "") || (_profilingMem != "")) { + AbortError (nil, "[1fb06ca1] Linux seccomp is not supported with profiling!") + } + if (_processes > 1) && ((_profileCpu != "") || (_profileMem != "")) { AbortError (nil, "[cd18d250] multi-process and profiling are mutually exclusive!") } @@ -1153,6 +1166,9 @@ func main_0 () (error) { if _limitMemory != 0 { _processArguments = append (_processArguments, "--limit-memory", fmt.Sprintf ("%d", _limitMemory)) } + if _seccompEnabled { + _processArguments = append (_processArguments, "--seccomp-enable") + } if _quiet { _processArguments = append (_processArguments, "--quiet") } diff --git a/sources/lib/seccomp/dummy.go b/sources/lib/seccomp/dummy.go index bc33457..64862f8 100644 --- a/sources/lib/seccomp/dummy.go +++ b/sources/lib/seccomp/dummy.go @@ -1,3 +1,9 @@ + package seccomp + + + +var Supported = false +