diff options
| author | Andrei Vagin <avagin@google.com> | 2019-06-12 11:54:15 -0700 |
|---|---|---|
| committer | Shentubot <shentubot@google.com> | 2019-06-12 11:55:24 -0700 |
| commit | bb849bad296f372670c2d2cf97424f74cf750ce2 (patch) | |
| tree | 14875bbf5803269d409105a41afa751e63bc42e1 /runsc/boot/loader.go | |
| parent | 0d05a12fd394e464d44d8d39c58b22249358ed19 (diff) | |
gvisor/runsc: apply seccomp filters before parsing a state file
PiperOrigin-RevId: 252869983
Diffstat (limited to 'runsc/boot/loader.go')
| -rw-r--r-- | runsc/boot/loader.go | 43 |
1 files changed, 27 insertions, 16 deletions
diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go index 3e6095fdc..c1dea736f 100644 --- a/runsc/boot/loader.go +++ b/runsc/boot/loader.go @@ -445,6 +445,23 @@ func createMemoryFile() (*pgalloc.MemoryFile, error) { return mf, nil } +func (l *Loader) installSeccompFilters() error { + if l.conf.DisableSeccomp { + filter.Report("syscall filter is DISABLED. Running in less secure mode.") + } else { + opts := filter.Options{ + Platform: l.k.Platform, + HostNetwork: l.conf.Network == NetworkHost, + ProfileEnable: l.conf.ProfileEnable, + ControllerFD: l.ctrl.srv.FD(), + } + if err := filter.Install(opts); err != nil { + return fmt.Errorf("installing seccomp filters: %v", err) + } + } + return nil +} + // Run runs the root container. func (l *Loader) Run() error { err := l.run() @@ -480,25 +497,19 @@ func (l *Loader) run() error { return fmt.Errorf("trying to start deleted container %q", l.sandboxID) } - // Finally done with all configuration. Setup filters before user code - // is loaded. - if l.conf.DisableSeccomp { - filter.Report("syscall filter is DISABLED. Running in less secure mode.") - } else { - opts := filter.Options{ - Platform: l.k.Platform, - HostNetwork: l.conf.Network == NetworkHost, - ProfileEnable: l.conf.ProfileEnable, - ControllerFD: l.ctrl.srv.FD(), - } - if err := filter.Install(opts); err != nil { - return fmt.Errorf("installing seccomp filters: %v", err) - } - } - // If we are restoring, we do not want to create a process. // l.restore is set by the container manager when a restore call is made. if !l.restore { + if l.conf.ProfileEnable { + initializePProf() + } + + // Finally done with all configuration. Setup filters before user code + // is loaded. + if err := l.installSeccompFilters(); err != nil { + return err + } + // Create the FD map, which will set stdin, stdout, and stderr. If console // is true, then ioctl calls will be passed through to the host fd. ctx := l.rootProcArgs.NewContext(l.k) |