diff options
| author | gVisor bot <gvisor-bot@google.com> | 2019-06-12 19:03:14 +0000 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2019-06-12 19:03:14 +0000 |
| commit | de584753757fe0e84deda25f37bb8cc16b224c98 (patch) | |
| tree | 6c87a5b72c0a7f84d72e481ac39a51e538d32171 /runsc/boot/controller.go | |
| parent | f25e6d019232613a1fe85b424bc993402d3e54a2 (diff) | |
| parent | bb849bad296f372670c2d2cf97424f74cf750ce2 (diff) | |
Merge bb849bad (automated)
Diffstat (limited to 'runsc/boot/controller.go')
| -rw-r--r-- | runsc/boot/controller.go | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/runsc/boot/controller.go b/runsc/boot/controller.go index 416e5355d..26765cc46 100644 --- a/runsc/boot/controller.go +++ b/runsc/boot/controller.go @@ -359,6 +359,17 @@ func (cm *containerManager) Restore(o *RestoreOpts, _ *struct{}) error { return fmt.Errorf("file cannot be empty") } + if cm.l.conf.ProfileEnable { + // initializePProf opens /proc/self/maps, so has to be + // called before installing seccomp filters. + initializePProf() + } + + // Seccomp filters have to be applied before parsing the state file. + if err := cm.l.installSeccompFilters(); err != nil { + return err + } + // Load the state. loadOpts := state.LoadOpts{Source: specFile} if err := loadOpts.Load(k, networkStack); err != nil { |