all: unify libseccomp version / API level checks

This unifies all the code that is used to check for minimally required
libseccomp version and API level and generate an error.

For errors, VersionError is reused, which is now amended with API level.

For checks, we now have checkVersion and checkAPI, which generate errors
that can be returned as is.

This removes some repetitive code and unifies error messages. As a
side benefit, a user can now check if an error was caused by an old
libseccomp and/or low API level, by using errors.As or checking if the
type is VersionError.

Signed-off-by: Kir Kolyshkin <[email protected]>
Acked-by: Tom Hromatka <[email protected]>
Signed-off-by: Paul Moore <[email protected]>

Author: kolyshkin

seccomp.go

@@ -34,32 +34,31 @@ import "C"
 
 // Exported types
 
-// VersionError denotes that the system libseccomp version is incompatible
-// with this package.
+// VersionError represents an error when either the system libseccomp version
+// or the kernel version is too old to perform the operation requested.
 type VersionError struct {
-	message string
-	minimum string
+	op             string // operation that failed or would fail
+	minVer         string // minimally required libseccomp version
+	curAPI, minAPI uint   // current and minimally required API versions
 }
 
 func init() {
 	// This forces the cgo libseccomp to initialize its internal API support state,
 	// which is necessary on older versions of libseccomp in order to work
 	// correctly.
-	GetAPI()
+	_, _ = getAPI()
 }
 
 func (e VersionError) Error() string {
-	messageStr := ""
-	if e.message != "" {
-		messageStr = e.message + ": "
+	if e.minAPI != 0 {
+		return fmt.Sprintf("%s requires libseccomp >= %s and API level >= %d "+
+			"(current version: %d.%d.%d, API level: %d)",
+			e.op, e.minVer, e.minAPI,
+			verMajor, verMinor, verMicro, e.curAPI)
 	}
-	minimumStr := ""
-	if e.minimum != "" {
-		minimumStr = e.minimum
-	} else {
-		minimumStr = "2.2.0"
-	}
-	return fmt.Sprintf("Libseccomp version too low: %sminimum supported is %s: detected %d.%d.%d", messageStr, minimumStr, verMajor, verMinor, verMicro)
+	return fmt.Sprintf("%s requires libseccomp >= %s (current version: %d.%d.%d)",
+		e.op, e.minVer, verMajor, verMinor, verMicro)
+
 }
 
 // ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a
@@ -874,10 +873,8 @@ func (f *ScmpFilter) GetNoNewPrivsBit() (bool, error) {
 func (f *ScmpFilter) GetLogBit() (bool, error) {
 	log, err := f.getFilterAttr(filterAttrLog)
 	if err != nil {
-		// Ignore error, if not supported returns apiLevel == 0
-		apiLevel, _ := GetAPI()
-		if apiLevel < 3 {
-			return false, fmt.Errorf("getting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher")
+		if e := checkAPI("GetLogBit", 3, "2.4.0"); e != nil {
+			err = e
 		}
 
 		return false, err
@@ -899,9 +896,8 @@ func (f *ScmpFilter) GetLogBit() (bool, error) {
 func (f *ScmpFilter) GetSSB() (bool, error) {
 	ssb, err := f.getFilterAttr(filterAttrSSB)
 	if err != nil {
-		api, apiErr := getAPI()
-		if (apiErr != nil && api == 0) || (apiErr == nil && api < 4) {
-			return false, fmt.Errorf("getting the SSB flag is only supported in libseccomp 2.5.0 and newer with API level 4 or higher")
+		if e := checkAPI("GetSSB", 4, "2.5.0"); e != nil {
+			err = e
 		}
 
 		return false, err
@@ -953,10 +949,8 @@ func (f *ScmpFilter) SetLogBit(state bool) error {
 
 	err := f.setFilterAttr(filterAttrLog, toSet)
 	if err != nil {
-		// Ignore error, if not supported returns apiLevel == 0
-		apiLevel, _ := GetAPI()
-		if apiLevel < 3 {
-			return fmt.Errorf("setting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher")
+		if e := checkAPI("SetLogBit", 3, "2.4.0"); e != nil {
+			err = e
 		}
 	}
 
@@ -976,9 +970,8 @@ func (f *ScmpFilter) SetSSB(state bool) error {
 
 	err := f.setFilterAttr(filterAttrSSB, toSet)
 	if err != nil {
-		api, apiErr := getAPI()
-		if (apiErr != nil && api == 0) || (apiErr == nil && api < 4) {
-			return fmt.Errorf("setting the SSB flag is only supported in libseccomp 2.5.0 and newer with API level 4 or higher")
+		if e := checkAPI("SetSSB", 4, "2.5.0"); e != nil {
+			err = e
 		}
 	}
 

seccomp_internal.go

@@ -302,19 +302,24 @@ var (
 
 // Nonexported functions
 
-// Check if library version is greater than or equal to the given one
-func checkVersionAbove(major, minor, micro uint) bool {
-	return (verMajor > major) ||
+// checkVersion returns an error if libseccomp version used during runtime
+// is less than the one required by major, minor, and micro arguments.
+// Argument op is arbitrary non-empty operation description, which
+// may is used as a part of the  error message returned.
+func checkVersion(op string, major, minor, micro uint) error {
+	if (verMajor > major) ||
 		(verMajor == major && verMinor > minor) ||
-		(verMajor == major && verMinor == minor && verMicro >= micro)
+		(verMajor == major && verMinor == minor && verMicro >= micro) {
+		return nil
+	}
+	return &VersionError{
+		op:     op,
+		minVer: fmt.Sprintf("%d.%d.%d", major, minor, micro),
+	}
 }
 
-// Ensure that the library is supported, i.e. >= 2.2.0.
 func ensureSupportedVersion() error {
-	if !checkVersionAbove(2, 2, 0) {
-		return VersionError{}
-	}
-	return nil
+	return checkVersion("seccomp", 2, 2, 0)
 }
 
 // Get the API level
@@ -433,11 +438,8 @@ func (f *ScmpFilter) addRuleGeneric(call ScmpSyscall, action ScmpAction, exact b
 		}
 	} else {
 		// We don't support conditional filtering in library version v2.1
-		if !checkVersionAbove(2, 2, 1) {
-			return VersionError{
-				message: "conditional filtering is not supported",
-				minimum: "2.2.1",
-			}
+		if err := checkVersion("conditional filtering", 2, 2, 1); err != nil {
+			return err
 		}
 
 		argsArr := C.make_arg_cmp_array(C.uint(len(conds)))
@@ -724,21 +726,40 @@ func (scmpResp *ScmpNotifResp) toNative(resp *C.struct_seccomp_notif_resp) {
 	resp.flags = C.__u32(scmpResp.Flags)
 }
 
+// checkAPI checks if API level is at least minLevel, and returns an error
+// otherwise. Argument op is an arbitrary string description the operation,
+// and minVersion is the minimally required libseccomp version.
+// Both op and minVersion are only used in an error message.
+func checkAPI(op string, minLevel uint, minVersion string) error {
+	// Ignore error from getAPI -- it returns level == 0 in case of error.
+	level, _ := getAPI()
+	if level >= minLevel {
+		return nil
+	}
+	return &VersionError{
+		op:     op,
+		curAPI: level,
+		minAPI: minLevel,
+		minVer: minVersion,
+	}
+}
+
 // Userspace Notification API
 // Calls to C.seccomp_notify* hidden from seccomp.go
 
+func notifSupported() error {
+	return checkAPI("seccomp notification", 6, "2.5.0")
+}
+
 func (f *ScmpFilter) getNotifFd() (ScmpFd, error) {
 	f.lock.Lock()
 	defer f.lock.Unlock()
 
 	if !f.valid {
 		return -1, errBadFilter
 	}
-
-	// Ignore error, if not supported returns apiLevel == 0
-	apiLevel, _ := GetAPI()
-	if apiLevel < 6 {
-		return -1, fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel)
+	if err := notifSupported(); err != nil {
+		return -1, err
 	}
 
 	fd := C.seccomp_notify_fd(f.filterCtx)
@@ -750,10 +771,8 @@ func notifReceive(fd ScmpFd) (*ScmpNotifReq, error) {
 	var req *C.struct_seccomp_notif
 	var resp *C.struct_seccomp_notif_resp
 
-	// Ignore error, if not supported returns apiLevel == 0
-	apiLevel, _ := GetAPI()
-	if apiLevel < 6 {
-		return nil, fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel)
+	if err := notifSupported(); err != nil {
+		return nil, err
 	}
 
 	// we only use the request here; the response is unused
@@ -789,10 +808,8 @@ func notifRespond(fd ScmpFd, scmpResp *ScmpNotifResp) error {
 	var req *C.struct_seccomp_notif
 	var resp *C.struct_seccomp_notif_resp
 
-	// Ignore error, if not supported returns apiLevel == 0
-	apiLevel, _ := GetAPI()
-	if apiLevel < 6 {
-		return fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel)
+	if err := notifSupported(); err != nil {
+		return err
 	}
 
 	// we only use the reponse here; the request is discarded
@@ -827,10 +844,8 @@ func notifRespond(fd ScmpFd, scmpResp *ScmpNotifResp) error {
 }
 
 func notifIDValid(fd ScmpFd, id uint64) error {
-	// Ignore error, if not supported returns apiLevel == 0
-	apiLevel, _ := GetAPI()
-	if apiLevel < 6 {
-		return fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel)
+	if err := notifSupported(); err != nil {
+		return err
 	}
 
 	for {

seccomp_test.go

@@ -62,58 +62,6 @@ func execInSubprocess(t *testing.T, f func(t *testing.T)) {
 
 // Type Function Tests
 
-type versionErrorTest struct {
-	err VersionError
-	str string
-}
-
-var versionStr = fmt.Sprintf("%d.%d.%d", verMajor, verMinor, verMicro)
-
-var versionErrorTests = []versionErrorTest{
-	{
-		VersionError{
-			"deadbeef",
-			"x.y.z",
-		},
-		"Libseccomp version too low: deadbeef: " +
-			"minimum supported is x.y.z: detected " + versionStr,
-	},
-	{
-		VersionError{
-			"",
-			"x.y.z",
-		},
-		"Libseccomp version too low: minimum supported is x.y.z: " +
-			"detected " + versionStr,
-	},
-	{
-		VersionError{
-			"deadbeef",
-			"",
-		},
-		"Libseccomp version too low: " +
-			"deadbeef: minimum supported is 2.2.0: " +
-			"detected " + versionStr,
-	},
-	{
-		VersionError{
-			"",
-			"",
-		},
-		"Libseccomp version too low: minimum supported is 2.2.0: " +
-			"detected " + versionStr,
-	},
-}
-
-func TestVersionError(t *testing.T) {
-	for i, test := range versionErrorTests {
-		str := test.err.Error()
-		if str != test.str {
-			t.Errorf("VersionError %d: got %q: expected %q", i, str, test.str)
-		}
-	}
-}
-
 func APILevelIsSupported() bool {
 	return verMajor > 2 ||
 		(verMajor == 2 && verMinor > 3) ||

seccomp_ver_test.go

@@ -0,0 +1,66 @@
+package seccomp
+
+import (
+	"testing"
+)
+
+func TestCheckVersion(t *testing.T) {
+	for _, tc := range []struct {
+		// test input
+		op      string
+		x, y, z uint
+		// test output
+		res string // empty string if no error is expected
+	}{
+		{
+			op: "frobnicate", x: 100, y: 99, z: 7,
+			res: "frobnicate requires libseccomp >= 100.99.7 (current version: ",
+		},
+		{
+			op: "old-ver", x: 2, y: 2, z: 0, // 2.2.0 is guaranteed to succeed
+		},
+	} {
+		err := checkVersion(tc.op, tc.x, tc.y, tc.z)
+		t.Log(err)
+		if tc.res != "" { // error expected
+			if err == nil {
+				t.Errorf("case %s: expected %q-like error, got nil", tc.op, tc.res)
+			}
+			continue
+		}
+		if err != nil {
+			t.Errorf("case %s: expected no error, got %s", tc.op, err)
+		}
+	}
+}
+
+func TestCheckAPI(t *testing.T) {
+	for _, tc := range []struct {
+		// test input
+		op    string
+		level uint
+		ver   string
+		// test output
+		res string // empty string if no error is expected
+	}{
+		{
+			op: "deviate", level: 99, ver: "100.99.88",
+			res: "frobnicate requires libseccomp >= 100.99.7 (current version: ",
+		},
+		{
+			op: "api-0", level: 0, // API 0 will succeed
+		},
+	} {
+		err := checkAPI(tc.op, tc.level, tc.ver)
+		t.Log(err)
+		if tc.res != "" { // error expected
+			if err == nil {
+				t.Errorf("case %s: expected %q-like error, got nil", tc.op, tc.res)
+			}
+			continue
+		}
+		if err != nil {
+			t.Errorf("case %s: expected no error, got %s", tc.op, err)
+		}
+	}
+}