gvisor/runsc: apply seccomp filters before parsing a state file

PiperOrigin-RevId: 252869983
author: Andrei Vagin <avagin@google.com> 2019-06-12 11:54:15 -0700
committer: Shentubot <shentubot@google.com> 2019-06-12 11:55:24 -0700
commit: bb849bad296f372670c2d2cf97424f74cf750ce2 (patch)
tree: 14875bbf5803269d409105a41afa751e63bc42e1 /runsc/boot/controller.go
parent: 0d05a12fd394e464d44d8d39c58b22249358ed19 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/runsc/boot/controller.go b/runsc/boot/controller.go
index 416e5355d..26765cc46 100644
--- a/runsc/boot/controller.go
+++ b/runsc/boot/controller.go
@@ -359,6 +359,17 @@ func (cm *containerManager) Restore(o *RestoreOpts, _ *struct{}) error {
 		return fmt.Errorf("file cannot be empty")
 	}
 
+	if cm.l.conf.ProfileEnable {
+		// initializePProf opens /proc/self/maps, so has to be
+		// called before installing seccomp filters.
+		initializePProf()
+	}
+
+	// Seccomp filters have to be applied before parsing the state file.
+	if err := cm.l.installSeccompFilters(); err != nil {
+		return err
+	}
+
 	// Load the state.
 	loadOpts := state.LoadOpts{Source: specFile}
 	if err := loadOpts.Load(k, networkStack); err != nil {
author	Andrei Vagin <avagin@google.com>	2019-06-12 11:54:15 -0700
committer	Shentubot <shentubot@google.com>	2019-06-12 11:55:24 -0700
commit	bb849bad296f372670c2d2cf97424f74cf750ce2 (patch)
tree	14875bbf5803269d409105a41afa751e63bc42e1 /runsc/boot/controller.go
parent	0d05a12fd394e464d44d8d39c58b22249358ed19 (diff)