all: require libseccomp >= 2.3.1

Currently this package requires libseccomp < 2.2.0, refusing to build otherwise, and contains a few kludges specifically targeting libseccomp 2.2.0. Let's require version 2.3.1 or greater, and remove the kludges for older versions. While at it, reword the error message to remove the word "supported". Checking for libseccomp versions shipped with various old (but still supported) releases, here is what I found out: * Ubuntu 14.04 "Trusty Tahr": 2.1.1 (unsupported by this pkg), with 2.2.3 available in backports repo [1] * Debian "Stretch" (aka oldoldstable): 2.3.1 [2] * RHEL/CentOS 7: 2.3.1 [3] * SLES 15 SP1: 2.4.3 [4] * openSUSE Leap 15.2: 2.4.1 [4] * Alpine 3.11: 2.4.2 [5] * Arch, Gentoo: 2.5.x [1] https://launchpad.net/ubuntu/+source/libseccomp [2] https://packages.debian.org/search?keywords=libseccomp [3] https://rpmfind.net/linux/rpm2html/search.php?query=libseccomp [4] https://software.opensuse.org/package/libseccomp [5] https://pkgs.alpinelinux.org/packages?name=libseccomp&branch=v3.11 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
seccomp · Oct 8, 2021 · 449387b · 449387b
1 parent bc12167
commit 449387b
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 16 deletions.
diff --git a/seccomp.go b/seccomp.go
@@ -1013,9 +1013,6 @@ func (f *ScmpFilter) AddRuleExact(call ScmpSyscall, action ScmpAction) error {
 // AddRuleConditional adds a single rule for a conditional action on a syscall.
 // Returns an error if an issue was encountered adding the rule.
 // All conditions must match for the rule to match.
-// There is a bug in library versions below v2.2.1 which can, in some cases,
-// cause conditions to be lost when more than one are used. Consequently,
-// AddRuleConditional is disabled on library versions lower than v2.2.1
 func (f *ScmpFilter) AddRuleConditional(call ScmpSyscall, action ScmpAction, conds []ScmpCondition) error {
 	return f.addRuleGeneric(call, action, false, conds)
 }
@@ -1027,9 +1024,6 @@ func (f *ScmpFilter) AddRuleConditional(call ScmpSyscall, action ScmpAction, con
 // The rule will function exactly as described, but it may not function identically
 // (or be able to be applied to) all architectures.
 // Returns an error if an issue was encountered adding the rule.
-// There is a bug in library versions below v2.2.1 which can, in some cases,
-// cause conditions to be lost when more than one are used. Consequently,
-// AddRuleConditionalExact is disabled on library versions lower than v2.2.1
 func (f *ScmpFilter) AddRuleConditionalExact(call ScmpSyscall, action ScmpAction, conds []ScmpCondition) error {
 	return f.addRuleGeneric(call, action, true, conds)
 }

diff --git a/seccomp_internal.go b/seccomp_internal.go
@@ -25,10 +25,10 @@ import (
 #include <stdlib.h>
 #include <seccomp.h>
 
-#if SCMP_VER_MAJOR < 2
-#error Minimum supported version of Libseccomp is v2.2.0
-#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 2
-#error Minimum supported version of Libseccomp is v2.2.0
+#if (SCMP_VER_MAJOR < 2) || \
+    (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 3) || \
+    (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR == 3 && SCMP_VER_MICRO < 1)
+#error This package requires libseccomp >= v2.3.1
 #endif
 
 #define ARCH_BAD ~0
@@ -319,7 +319,7 @@ func checkVersion(op string, major, minor, micro uint) error {
 }
 
 func ensureSupportedVersion() error {
-	return checkVersion("seccomp", 2, 2, 0)
+	return checkVersion("seccomp", 2, 3, 1)
 }
 
 // Get the API level
@@ -437,11 +437,6 @@ func (f *ScmpFilter) addRuleGeneric(call ScmpSyscall, action ScmpAction, exact b
 			return err
 		}
 	} else {
-		// We don't support conditional filtering in library version v2.1
-		if err := checkVersion("conditional filtering", 2, 2, 1); err != nil {
-			return err
-		}
-
 		argsArr := C.make_arg_cmp_array(C.uint(len(conds)))
 		if argsArr == nil {
 			return fmt.Errorf("error allocating memory for conditions")