Skip to content

Commit

Permalink
Display list of precompiled seccomp-bpf programs in debug logs.
Browse files Browse the repository at this point in the history
See [this comment](freedomofpress/dangerzone#590 (comment)) for context.

PiperOrigin-RevId: 643463161
  • Loading branch information
EtiennePerot authored and gvisor-bot committed Jun 14, 2024
1 parent 2069e86 commit 11efa60
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
13 changes: 13 additions & 0 deletions pkg/seccomp/precompiledseccomp/precompiled_lib.tmpl.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@
package precompiled

import (
"sort"

"gvisor.dev/gvisor/pkg/seccomp/precompiledseccomp"
"gvisor.dev/gvisor/pkg/sync"
)
Expand All @@ -39,6 +41,17 @@ func GetPrecompiled(programName string) (precompiledseccomp.Program, bool) {
return program, ok
}

// ListPrecompiled returns a list of all registered program names.
func ListPrecompiled() []string {
registerPrecompiledProgramsOnce.Do(registerPrograms)
programNames := make([]string, 0, len(precompiledPrograms))
for name := range precompiledPrograms {
programNames = append(programNames, name)
}
sort.Strings(programNames)
return programNames
}

// registerPrograms registers available programs inside `precompiledPrograms`.
func registerPrograms() {
programs := make(map[string]precompiledseccomp.Program)
Expand Down
7 changes: 7 additions & 0 deletions runsc/boot/filter/filter.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,13 @@ func Install(opt Options) error {
seccompOpts.DefaultAction = linux.SECCOMP_RET_TRAP
} else {
log.Infof("No precompiled program found for config options %v, building seccomp program from scratch. This may slow down container startup.", key)
if log.IsLogging(log.Debug) {
precompiledKeys := ListPrecompiled()
log.Debugf("Precompiled seccomp-bpf program configuration option variants (%d):", len(precompiledKeys))
for k := range precompiledKeys {
log.Debugf(" %v", k)
}
}
}
rules, denyRules := config.Rules(opt)
return seccomp.Install(rules, denyRules, seccompOpts)
Expand Down

0 comments on commit 11efa60

Please sign in to comment.