pkg/sysinfo: use containerd/pkg/seccomp.IsEnabled()

This replaces the local SeccompSupported() utility for the implementation in containerd, which performs the same check. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-01-11 18:51:37 +00:00 · 2021-08-27 15:21:52 +02:00
parent 2bb21b85c2
commit accec292c1
4 changed files with 130 additions and 17 deletions
--- a/pkg/sysinfo/sysinfo_linux.go
+++ b/pkg/sysinfo/sysinfo_linux.go
@@ -6,12 +6,11 @@ import (
 	"os"
 	"path"
 	"strings"
-	"sync"

 	cdcgroups "github.com/containerd/cgroups"
+	cdseccomp "github.com/containerd/containerd/pkg/seccomp"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
 )

 func findCgroupMountpoints() (map[string]string, error) {
@@ -246,23 +245,9 @@ func applyCgroupNsInfo(info *SysInfo) {
 	}
 }

-var (
-	seccompOnce    sync.Once
-	seccompEnabled bool
-)
-
 // applySeccompInfo checks if Seccomp is supported, via CONFIG_SECCOMP.
 func applySeccompInfo(info *SysInfo) {
-	seccompOnce.Do(func() {
-		// Check if Seccomp is supported, via CONFIG_SECCOMP.
-		if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
-			// Make sure the kernel has CONFIG_SECCOMP_FILTER.
-			if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
-				seccompEnabled = true
-			}
-		}
-	})
-	info.Seccomp = seccompEnabled
+	info.Seccomp = cdseccomp.IsEnabled()
 }

 func cgroupEnabled(mountPoint, name string) bool {