ignore some docker craziness in scccomp environment checks

2016-08-02 12:19:38 -04:00 · 2016-08-02 12:19:38 -04:00 · f77e8a512c
parent 9f88a8194a
commit f77e8a512c
1 changed files with 15 additions and 1 deletions
--- a/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java
+++ b/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java
@ -200,6 +200,7 @@ final class Seccomp {
    static final int SECCOMP_RET_ALLOW = 0x7FFF0000;

    // some errno constants for error checking/handling
+    static final int EPERM  = 0x01;
    static final int EACCES = 0x0D;
    static final int EFAULT = 0x0E;
    static final int EINVAL = 0x16;
@ -275,10 +276,23 @@ final class Seccomp {

        // check that unimplemented syscalls actually return ENOSYS
        // you never know (e.g. https://code.google.com/p/chromium/issues/detail?id=439795)
-        if (linux_syscall(999) >= 0 || Native.getLastError() != ENOSYS) {
+        if (linux_syscall(999) >= 0) {
            throw new UnsupportedOperationException("seccomp unavailable: your kernel is buggy and you should upgrade");
        }

+        switch (Native.getLastError()) {
+            case ENOSYS:
+                break; // ok
+            case EPERM:
+                // NOT ok, but likely a docker container
+                if (logger.isDebugEnabled()) {
+                    logger.debug("syscall(BOGUS) bogusly gets EPERM instead of ENOSYS");
+                }
+                break;
+            default:
+                throw new UnsupportedOperationException("seccomp unavailable: your kernel is buggy and you should upgrade");
+        }
+
        // try to check system calls really are who they claim
        // you never know (e.g. https://chromium.googlesource.com/chromium/src.git/+/master/sandbox/linux/seccomp-bpf/sandbox_bpf.cc#57)
        final int bogusArg = 0xf7a46a5c;