libcontainer: use Prctl() from x/sys/unix

tklauser · tklauser · commit a380fae9599a · 2017-07-10T10:56:58.000+02:00
Use unix.Prctl() instead of manually reimplementing it using
unix.RawSyscall. Also use unix.SECCOMP_MODE_FILTER instead of locally
defining it.

Signed-off-by: Tobias Klauser &lt;tklauser@distanz.ch&gt;
diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go
@@ -20,9 +20,6 @@ var (
 	actKill  = libseccomp.ActKill
 	actTrace = libseccomp.ActTrace.SetReturnCode(int16(unix.EPERM))
 	actErrno = libseccomp.ActErrno.SetReturnCode(int16(unix.EPERM))
-
-	// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
-	SeccompModeFilter = uintptr(2)
 )
 
 // Filters given syscalls in a container, preventing them from being used
@@ -85,9 +82,9 @@ func IsEnabled() bool {
 	s, err := parseStatusFile("/proc/self/status")
 	if err != nil {
 		// Check if Seccomp is supported, via CONFIG_SECCOMP.
-		if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_GET_SECCOMP, 0, 0); err != unix.EINVAL {
+		if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
 			// Make sure the kernel has CONFIG_SECCOMP_FILTER.
-			if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_SET_SECCOMP, SeccompModeFilter, 0); err != unix.EINVAL {
+			if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
 				return true
 			}
 		}
diff --git a/libcontainer/system/linux.go b/libcontainer/system/linux.go
@@ -64,31 +64,30 @@ func Prlimit(pid, resource int, limit unix.Rlimit) error {
 }
 
 func SetParentDeathSignal(sig uintptr) error {
-	if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_SET_PDEATHSIG, sig, 0); err != 0 {
+	if err := unix.Prctl(unix.PR_SET_PDEATHSIG, sig, 0, 0, 0); err != nil {
 		return err
 	}
 	return nil
 }
 
 func GetParentDeathSignal() (ParentDeathSignal, error) {
 	var sig int
-	_, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_GET_PDEATHSIG, uintptr(unsafe.Pointer(&sig)), 0)
-	if err != 0 {
+	if err := unix.Prctl(unix.PR_GET_PDEATHSIG, uintptr(unsafe.Pointer(&sig)), 0, 0, 0); err != nil {
 		return -1, err
 	}
 	return ParentDeathSignal(sig), nil
 }
 
 func SetKeepCaps() error {
-	if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_SET_KEEPCAPS, 1, 0); err != 0 {
+	if err := unix.Prctl(unix.PR_SET_KEEPCAPS, 1, 0, 0, 0); err != nil {
 		return err
 	}
 
 	return nil
 }
 
 func ClearKeepCaps() error {
-	if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_SET_KEEPCAPS, 0, 0); err != 0 {
+	if err := unix.Prctl(unix.PR_SET_KEEPCAPS, 0, 0, 0, 0); err != nil {
 		return err
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -64,31 +64,30 @@ func Prlimit(pid, resource int, limit unix.Rlimit) error {`
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`func SetParentDeathSignal(sig uintptr) error {`
`67`		`- if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_SET_PDEATHSIG, sig, 0); err != 0 {`
	`67`	`+ if err := unix.Prctl(unix.PR_SET_PDEATHSIG, sig, 0, 0, 0); err != nil {`
`68`	`68`	`return err`
`69`	`69`	`}`
`70`	`70`	`return nil`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`func GetParentDeathSignal() (ParentDeathSignal, error) {`
`74`	`74`	`var sig int`
`75`		`- _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_GET_PDEATHSIG, uintptr(unsafe.Pointer(&sig)), 0)`
`76`		`- if err != 0 {`
	`75`	`+ if err := unix.Prctl(unix.PR_GET_PDEATHSIG, uintptr(unsafe.Pointer(&sig)), 0, 0, 0); err != nil {`
`77`	`76`	`return -1, err`
`78`	`77`	`}`
`79`	`78`	`return ParentDeathSignal(sig), nil`
`80`	`79`	`}`
`81`	`80`
`82`	`81`	`func SetKeepCaps() error {`
`83`		`- if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_SET_KEEPCAPS, 1, 0); err != 0 {`
	`82`	`+ if err := unix.Prctl(unix.PR_SET_KEEPCAPS, 1, 0, 0, 0); err != nil {`
`84`	`83`	`return err`
`85`	`84`	`}`
`86`	`85`
`87`	`86`	`return nil`
`88`	`87`	`}`
`89`	`88`
`90`	`89`	`func ClearKeepCaps() error {`
`91`		`- if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_SET_KEEPCAPS, 0, 0); err != 0 {`
	`90`	`+ if err := unix.Prctl(unix.PR_SET_KEEPCAPS, 0, 0, 0, 0); err != nil {`
`92`	`91`	`return err`
`93`	`92`	`}`
`94`	`93`