diff --git a/components/engine/Dockerfile b/components/engine/Dockerfile index 611c4511e7..0bb846cbc5 100644 --- a/components/engine/Dockerfile +++ b/components/engine/Dockerfile @@ -108,8 +108,8 @@ RUN set -x \ && UNATTENDED=yes OSX_VERSION_MIN=10.6 ${OSXCROSS_PATH}/build.sh ENV PATH /osxcross/target/bin:$PATH -# Install seccomp: the version shipped in trusty is too old -ENV SECCOMP_VERSION 2.3.1 +# Install seccomp: the version shipped upstream is too old +ENV SECCOMP_VERSION 2.3.2 RUN set -x \ && export SECCOMP_PATH="$(mktemp -d)" \ && curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_VERSION}/libseccomp-${SECCOMP_VERSION}.tar.gz" \ diff --git a/components/engine/Dockerfile.aarch64 b/components/engine/Dockerfile.aarch64 index bc860b59a8..e58e2f7e8d 100644 --- a/components/engine/Dockerfile.aarch64 +++ b/components/engine/Dockerfile.aarch64 @@ -78,8 +78,8 @@ RUN cd /usr/local/lvm2 \ && make install_device-mapper # See https://git.fedorahosted.org/cgit/lvm2.git/tree/INSTALL -# Install seccomp: the version shipped in trusty is too old -ENV SECCOMP_VERSION 2.3.1 +# Install seccomp: the version shipped upstream is too old +ENV SECCOMP_VERSION 2.3.2 RUN set -x \ && export SECCOMP_PATH="$(mktemp -d)" \ && curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_VERSION}/libseccomp-${SECCOMP_VERSION}.tar.gz" \ diff --git a/components/engine/Dockerfile.armhf b/components/engine/Dockerfile.armhf index ee69700496..d91ba9fe9c 100644 --- a/components/engine/Dockerfile.armhf +++ b/components/engine/Dockerfile.armhf @@ -92,8 +92,8 @@ RUN git clone https://github.com/golang/lint.git /go/src/github.com/golang/lint && (cd /go/src/github.com/golang/lint && git checkout -q $GO_LINT_COMMIT) \ && go install -v github.com/golang/lint/golint -# Install seccomp: the version shipped in trusty is too old -ENV SECCOMP_VERSION 2.3.1 +# Install seccomp: the version shipped upstream is too old +ENV SECCOMP_VERSION 2.3.2 RUN set -x \ && export SECCOMP_PATH="$(mktemp -d)" \ && curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_VERSION}/libseccomp-${SECCOMP_VERSION}.tar.gz" \ diff --git a/components/engine/Dockerfile.ppc64le b/components/engine/Dockerfile.ppc64le index 61674b7c31..fe97372136 100644 --- a/components/engine/Dockerfile.ppc64le +++ b/components/engine/Dockerfile.ppc64le @@ -77,8 +77,8 @@ RUN cd /usr/local/lvm2 \ && make install_device-mapper # See https://git.fedorahosted.org/cgit/lvm2.git/tree/INSTALL -# Install seccomp: the version shipped in jessie is too old -ENV SECCOMP_VERSION 2.3.1 +# Install seccomp: the version shipped upstream is too old +ENV SECCOMP_VERSION 2.3.2 RUN set -x \ && export SECCOMP_PATH="$(mktemp -d)" \ && curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_VERSION}/libseccomp-${SECCOMP_VERSION}.tar.gz" \ diff --git a/components/engine/Dockerfile.s390x b/components/engine/Dockerfile.s390x index c2fa4a8ba7..a47e4463fd 100644 --- a/components/engine/Dockerfile.s390x +++ b/components/engine/Dockerfile.s390x @@ -50,8 +50,8 @@ RUN apt-get update && apt-get install -y \ vim-common \ --no-install-recommends -# Install seccomp: the version shipped in jessie is too old -ENV SECCOMP_VERSION 2.3.1 +# Install seccomp: the version shipped upstream is too old +ENV SECCOMP_VERSION 2.3.2 RUN set -x \ && export SECCOMP_PATH="$(mktemp -d)" \ && curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_VERSION}/libseccomp-${SECCOMP_VERSION}.tar.gz" \ diff --git a/components/engine/Dockerfile.simple b/components/engine/Dockerfile.simple index f5fe6b272f..248f88de3e 100644 --- a/components/engine/Dockerfile.simple +++ b/components/engine/Dockerfile.simple @@ -34,8 +34,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ vim-common \ && rm -rf /var/lib/apt/lists/* -# Install seccomp: the version shipped in trusty is too old -ENV SECCOMP_VERSION 2.3.1 +# Install seccomp: the version shipped upstream is too old +ENV SECCOMP_VERSION 2.3.2 RUN set -x \ && export SECCOMP_PATH="$(mktemp -d)" \ && curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_VERSION}/libseccomp-${SECCOMP_VERSION}.tar.gz" \ diff --git a/components/engine/profiles/seccomp/default.json b/components/engine/profiles/seccomp/default.json index 932aa55aa0..5b742da0da 100755 --- a/components/engine/profiles/seccomp/default.json +++ b/components/engine/profiles/seccomp/default.json @@ -223,10 +223,12 @@ "prctl", "pread64", "preadv", + "preadv2", "prlimit64", "pselect6", "pwrite64", "pwritev", + "pwritev2", "read", "readahead", "readlink", diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go index dee189ad46..b68834a12e 100644 --- a/components/engine/profiles/seccomp/seccomp_default.go +++ b/components/engine/profiles/seccomp/seccomp_default.go @@ -217,10 +217,12 @@ func DefaultProfile() *types.Seccomp { "prctl", "pread64", "preadv", + "preadv2", "prlimit64", "pselect6", "pwrite64", "pwritev", + "pwritev2", "read", "readahead", "readlink", diff --git a/components/engine/vendor.conf b/components/engine/vendor.conf index b5493c434a..bb6548f240 100644 --- a/components/engine/vendor.conf +++ b/components/engine/vendor.conf @@ -63,7 +63,7 @@ github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c # When updating, also update RUNC_COMMIT in hack/dockerfile/binaries-commits accordingly github.com/opencontainers/runc a01dafd48bc1c7cc12bdb01206f9fea7dd6feb70 https://github.com/docker/runc.git # libcontainer github.com/opencontainers/runtime-spec 1c7c27d043c2a5e513a44084d2b10d77d1402b8c # specs -github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0 +github.com/seccomp/libseccomp-golang v0.9.0 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json) github.com/coreos/go-systemd v4 github.com/godbus/dbus v4.0.0 diff --git a/components/engine/vendor/github.com/seccomp/libseccomp-golang/seccomp.go b/components/engine/vendor/github.com/seccomp/libseccomp-golang/seccomp.go index b2c010fc38..53bcb024dc 100644 --- a/components/engine/vendor/github.com/seccomp/libseccomp-golang/seccomp.go +++ b/components/engine/vendor/github.com/seccomp/libseccomp-golang/seccomp.go @@ -27,6 +27,28 @@ import "C" // Exported types +// VersionError denotes that the system libseccomp version is incompatible +// with this package. +type VersionError struct { + message string + minimum string +} + +func (e VersionError) Error() string { + format := "Libseccomp version too low: " + if e.message != "" { + format += e.message + ": " + } + format += "minimum supported is " + if e.minimum != "" { + format += e.minimum + ": " + } else { + format += "2.1.0: " + } + format += "detected %d.%d.%d" + return fmt.Sprintf(format, verMajor, verMinor, verMicro) +} + // ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a // per-architecture basis. type ScmpArch uint @@ -151,6 +173,10 @@ const ( // GetArchFromString returns an ScmpArch constant from a string representing an // architecture func GetArchFromString(arch string) (ScmpArch, error) { + if err := ensureSupportedVersion(); err != nil { + return ArchInvalid, err + } + switch strings.ToLower(arch) { case "x86": return ArchX86, nil @@ -338,6 +364,10 @@ func (s ScmpSyscall) GetNameByArch(arch ScmpArch) (string, error) { // Returns the number of the syscall, or an error if no syscall with that name // was found. func GetSyscallFromName(name string) (ScmpSyscall, error) { + if err := ensureSupportedVersion(); err != nil { + return 0, err + } + cString := C.CString(name) defer C.free(unsafe.Pointer(cString)) @@ -355,6 +385,9 @@ func GetSyscallFromName(name string) (ScmpSyscall, error) { // Returns the number of the syscall, or an error if an invalid architecture is // passed or a syscall with that name was not found. func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) { + if err := ensureSupportedVersion(); err != nil { + return 0, err + } if err := sanitizeArch(arch); err != nil { return 0, err } @@ -386,6 +419,10 @@ func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) { func MakeCondition(arg uint, comparison ScmpCompareOp, values ...uint64) (ScmpCondition, error) { var condStruct ScmpCondition + if err := ensureSupportedVersion(); err != nil { + return condStruct, err + } + if comparison == CompareInvalid { return condStruct, fmt.Errorf("invalid comparison operator") } else if arg > 5 { @@ -413,6 +450,10 @@ func MakeCondition(arg uint, comparison ScmpCompareOp, values ...uint64) (ScmpCo // GetNativeArch returns architecture token representing the native kernel // architecture func GetNativeArch() (ScmpArch, error) { + if err := ensureSupportedVersion(); err != nil { + return ArchInvalid, err + } + arch := C.seccomp_arch_native() return archFromNative(arch) @@ -435,6 +476,10 @@ type ScmpFilter struct { // Returns a reference to a valid filter context, or nil and an error if the // filter context could not be created or an invalid default action was given. func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) { + if err := ensureSupportedVersion(); err != nil { + return nil, err + } + if err := sanitizeAction(defaultAction); err != nil { return nil, err } diff --git a/components/engine/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go b/components/engine/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go index ab67a3dedc..b0caac91be 100644 --- a/components/engine/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go +++ b/components/engine/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go @@ -7,7 +7,6 @@ package seccomp import ( "fmt" - "os" "syscall" ) @@ -192,12 +191,12 @@ func checkVersionAbove(major, minor, micro int) bool { (verMajor == major && verMinor == minor && verMicro >= micro) } -// Init function: Verify library version is appropriate -func init() { +// Ensure that the library is supported, i.e. >= 2.1.0. +func ensureSupportedVersion() error { if !checkVersionAbove(2, 1, 0) { - fmt.Fprintf(os.Stderr, "Libseccomp version too low: minimum supported is 2.1.0, detected %d.%d.%d", C.C_VERSION_MAJOR, C.C_VERSION_MINOR, C.C_VERSION_MICRO) - os.Exit(-1) + return VersionError{} } + return nil } // Filter helpers @@ -217,7 +216,10 @@ func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) { } if !checkVersionAbove(2, 2, 0) && attr == filterAttrTsync { - return 0x0, fmt.Errorf("the thread synchronization attribute is not supported in this version of the library") + return 0x0, VersionError{ + message: "thread synchronization attribute is not supported", + minimum: "2.2.0", + } } var attribute C.uint32_t @@ -240,7 +242,10 @@ func (f *ScmpFilter) setFilterAttr(attr scmpFilterAttr, value C.uint32_t) error } if !checkVersionAbove(2, 2, 0) && attr == filterAttrTsync { - return fmt.Errorf("the thread synchronization attribute is not supported in this version of the library") + return VersionError{ + message: "thread synchronization attribute is not supported", + minimum: "2.2.0", + } } retCode := C.seccomp_attr_set(f.filterCtx, attr.toNative(), value) @@ -296,7 +301,10 @@ func (f *ScmpFilter) addRuleGeneric(call ScmpSyscall, action ScmpAction, exact b } else { // We don't support conditional filtering in library version v2.1 if !checkVersionAbove(2, 2, 1) { - return fmt.Errorf("conditional filtering requires libseccomp version >= 2.2.1") + return VersionError{ + message: "conditional filtering is not supported", + minimum: "2.2.1", + } } for _, cond := range conds {