systrap: don't fail if seccomp_unotify isn't supported

Fixes #10633 PiperOrigin-RevId: 651552693
google · Jul 11, 2024 · 03e1b70 · 03e1b70
1 parent ab513ff
commit 03e1b70
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/pkg/sentry/platform/systrap/syscall_thread.go b/pkg/sentry/platform/systrap/syscall_thread.go
@@ -98,7 +98,11 @@ func (t *syscallThread) init(seccompNotify bool) error {
 	}
 
 	if seccompNotify {
-		t.seccompNotify = t.installSeccompNotify()
+		var err error
+		t.seccompNotify, err = t.installSeccompNotify()
+		if err != nil {
+			t.thread.Warningf("failed to install seccomp notify rules: %s", err)
+		}
 	}
 
 	// Map the stack into the sentry.
@@ -142,19 +146,19 @@ func (t *syscallThread) destroy() {
 	t.subproc.sysmsgStackPool.Put(t.thread.sysmsgStackID)
 }
 
-func (t *syscallThread) installSeccompNotify() *os.File {
+func (t *syscallThread) installSeccompNotify() (*os.File, error) {
 	fd, err := t.thread.syscallIgnoreInterrupt(&t.thread.initRegs, seccomp.SYS_SECCOMP,
 		arch.SyscallArgument{Value: uintptr(linux.SECCOMP_SET_MODE_FILTER)},
 		arch.SyscallArgument{Value: uintptr(linux.SECCOMP_FILTER_FLAG_NEW_LISTENER)},
 		arch.SyscallArgument{Value: stubSyscallRules})
 	if err != nil {
-		panic(fmt.Sprintf("seccomp failed: %v", err))
+		return nil, err
 	}
 	_, _, errno := unix.RawSyscall(unix.SYS_IOCTL, fd, linux.SECCOMP_IOCTL_NOTIF_SET_FLAGS, linux.SECCOMP_USER_NOTIF_FD_SYNC_WAKE_UP)
 	if errno != 0 {
 		t.thread.Debugf("failed to set SECCOMP_USER_NOTIF_FD_SYNC_WAKE_UP")
 	}
-	return os.NewFile(fd, "seccomp_notify")
+	return os.NewFile(fd, "seccomp_notify"), nil
 }
 
 // mapMessageIntoStub maps the syscall message into the stub process address space.