Skip to content

Commit

Permalink
grpc: Add seccomp status to guest details
Browse files Browse the repository at this point in the history
Add a boolean showing whether seccomp support is available to the
`AgentDetails` message returned by `GetGuestDetails()`. If set,
it indicates that full seccomp support [*] is available.

Fixes kata-containers#381.

[*] - Both the agent and the environment it is running in support seccomp.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
  • Loading branch information
jodh-intel committed Sep 26, 2018
1 parent 7b71c10 commit a396a23
Show file tree
Hide file tree
Showing 6 changed files with 258 additions and 166 deletions.
3 changes: 2 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,8 @@ AGENT_IMAGE := katacontainers/agent-dev
AGENT_TAG := $(if $(COMMIT_NO_SHORT),$(COMMIT_NO_SHORT),dev)

$(TARGET): $(GENERATED_FILES) $(SOURCES) $(VERSION_FILE)
go build -tags "$(BUILDTAGS)" -o $@ -ldflags "-X main.version=$(VERSION_COMMIT)"
go build -tags "$(BUILDTAGS)" -o $@ \
-ldflags "-X main.version=$(VERSION_COMMIT) -X main.seccompSupport=$(SECCOMP)"

install:
install -D $(TARGET) $(DESTDIR)$(BINDIR)/$(TARGET)
Expand Down
3 changes: 3 additions & 0 deletions agent.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@ var (
cgroupMemoryPath = cgroupPath + "/memory"
cgroupMemoryUseHierarchyPath = cgroupMemoryPath + "/memory.use_hierarchy"
cgroupMemoryUseHierarchyMode = os.FileMode(0400)

// Set by the build
seccompSupport string
)

var initRootfsMounts = []initMount{
Expand Down
14 changes: 12 additions & 2 deletions grpc.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
pb "github.com/kata-containers/agent/protocols/grpc"
"github.com/opencontainers/runc/libcontainer"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runc/libcontainer/specconv"
"github.com/opencontainers/runc/libcontainer/utils"
"github.com/opencontainers/runtime-spec/specs-go"
Expand Down Expand Up @@ -1334,10 +1335,19 @@ func (a *agentGRPC) GetGuestDetails(ctx context.Context, req *pb.GuestDetailsReq
return &details, nil
}

func (a *agentGRPC) haveSeccomp() bool {
if seccompSupport == "yes" && seccomp.IsEnabled() {
return true
}

return false
}

func (a *agentGRPC) getAgentDetails(ctx context.Context) *pb.AgentDetails {
details := pb.AgentDetails{
Version: version,
InitDaemon: os.Getpid() == 1,
Version: version,
InitDaemon: os.Getpid() == 1,
SupportsSeccomp: a.haveSeccomp(),
}

for handler := range deviceHandlerList {
Expand Down
36 changes: 33 additions & 3 deletions grpc_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
pb "github.com/kata-containers/agent/protocols/grpc"
"github.com/opencontainers/runc/libcontainer"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/stretchr/testify/assert"
)
Expand Down Expand Up @@ -624,7 +625,7 @@ func TestMultiWaitProcess(t *testing.T) {
wg.Wait()
}

func testAgentDetails(assert *assert.Assertions, details *pb.AgentDetails) {
func testAgentDetails(assert *assert.Assertions, details *pb.AgentDetails, haveSeccomp bool) {
assert.NotNil(details)

assert.Equal(details.Version, version)
Expand All @@ -649,6 +650,8 @@ func testAgentDetails(assert *assert.Assertions, details *pb.AgentDetails) {

assert.Equal(details.DeviceHandlers, devices)
assert.Equal(details.StorageHandlers, storages)

assert.Equal(details.SupportsSeccomp, haveSeccomp)
}

func TestGetGuestDetails(t *testing.T) {
Expand All @@ -673,7 +676,9 @@ func TestGetGuestDetails(t *testing.T) {
assert.NoError(err)

assert.Equal(resp.MemBlockSizeBytes, size)
testAgentDetails(assert, resp.AgentDetails)

seccompSupport := a.haveSeccomp()
testAgentDetails(assert, resp.AgentDetails, seccompSupport)
}

func TestGetAgentDetails(t *testing.T) {
Expand All @@ -687,5 +692,30 @@ func TestGetAgentDetails(t *testing.T) {

details := a.getAgentDetails(context.TODO())

testAgentDetails(assert, details)
seccompSupport := a.haveSeccomp()
testAgentDetails(assert, details, seccompSupport)
}

func TestHaveSeccomp(t *testing.T) {
assert := assert.New(t)

a := &agentGRPC{
sandbox: &sandbox{
containers: make(map[string]*container),
},
}

savedSeccompSupport := seccompSupport

defer func() {
seccompSupport = savedSeccompSupport
}()

for _, seccompSupport := range []string{"yes", "no"} {
if seccompSupport == "yes" {
assert.Equal(a.haveSeccomp(), seccomp.IsEnabled())
} else {
assert.Equal(a.haveSeccomp(), false)
}
}
}
Loading

0 comments on commit a396a23

Please sign in to comment.