golang: Add API level bindings

Add bindings for getting and setting the libseccomp API level which was
added in the following libseccomp commit:

  commit e89d18205c7dcd7582f41051cd6389c9b12dfccf
  Author: Paul Moore <[email protected]>
  Date:   Thu Sep 21 10:27:38 2017 -0400

      api: create an API level construct as part of the supported API

The added tests for getting and setting the API level detect if API
level support is available in libseccomp and tests the behavior of
GetApi() and SetApi() accordingly.

Signed-off-by: Tyler Hicks <[email protected]>
Signed-off-by: Matthew Heon <[email protected]>

Author: tyhicks

seccomp.go

@@ -328,6 +328,25 @@ func GetLibraryVersion() (major, minor, micro uint) {
 	return verMajor, verMinor, verMicro
 }
 
+// GetApi returns the API level supported by the system.
+// Returns a positive int containing the API level, or 0 with an error if the
+// API level could not be detected due to the library being older than v2.4.0.
+// See the seccomp_api_get(3) man page for details on available API levels:
+// https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3
+func GetApi() (uint, error) {
+	return getApi()
+}
+
+// SetApi forcibly sets the API level. General use of this function is strongly
+// discouraged.
+// Returns an error if the API level could not be set. An error is always
+// returned if the library is older than v2.4.0
+// See the seccomp_api_get(3) man page for details on available API levels:
+// https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3
+func SetApi(api uint) error {
+	return setApi(api)
+}
+
 // Syscall functions
 
 // GetName retrieves the name of a syscall from its number.

seccomp_internal.go

@@ -16,6 +16,7 @@ import (
 
 // #cgo pkg-config: libseccomp
 /*
+#include <errno.h>
 #include <stdlib.h>
 #include <seccomp.h>
 
@@ -122,6 +123,25 @@ unsigned int get_micro_version()
 }
 #endif
 
+// The libseccomp API level functions were added in v2.4.0
+#if (SCMP_VER_MAJOR < 2) || \
+    (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 4)
+const unsigned int seccomp_api_get(void)
+{
+	// libseccomp-golang requires libseccomp v2.2.0, at a minimum, which
+	// supported API level 2. However, the kernel may not support API level
+	// 2 constructs which are the seccomp() system call and the TSYNC
+	// filter flag. Return the "reserved" value of 0 here to indicate that
+	// proper API level support is not available in libseccomp.
+	return 0;
+}
+
+int seccomp_api_set(unsigned int level)
+{
+	return -EOPNOTSUPP;
+}
+#endif
+
 typedef struct scmp_arg_cmp* scmp_cast_t;
 
 void* make_arg_cmp_array(unsigned int length)
@@ -201,6 +221,29 @@ func ensureSupportedVersion() error {
 	return nil
 }
 
+// Get the API level
+func getApi() (uint, error) {
+	api := C.seccomp_api_get()
+	if api == 0 {
+		return 0, fmt.Errorf("API level operations are not supported")
+	}
+
+	return uint(api), nil
+}
+
+// Set the API level
+func setApi(api uint) error {
+	if retCode := C.seccomp_api_set(C.uint(api)); retCode != 0 {
+		if syscall.Errno(-1*retCode) == syscall.EOPNOTSUPP {
+			return fmt.Errorf("API level operations are not supported")
+		}
+
+		return fmt.Errorf("could not set API level: %v", retCode)
+	}
+
+	return nil
+}
+
 // Filter helpers
 
 // Filter finalizer - ensure that kernel context for filters is freed

seccomp_test.go

@@ -64,6 +64,51 @@ func TestVersionError(t *testing.T) {
 	}
 }
 
+func ApiLevelIsSupported() bool {
+	return verMajor > 2 ||
+		(verMajor == 2 && verMinor > 3) ||
+		(verMajor == 2 && verMinor == 3 && verMicro >= 3)
+}
+
+func TestGetApiLevel(t *testing.T) {
+	api, err := GetApi()
+	if !ApiLevelIsSupported() {
+		if api != 0 {
+			t.Errorf("API level returned despite lack of support: %v", api)
+		} else if err == nil {
+			t.Errorf("No error returned despite lack of API level support")
+		}
+
+		t.Skipf("Skipping test: %s", err)
+	} else if err != nil {
+		t.Errorf("Error getting API level: %s", err)
+	}
+	fmt.Printf("Got API level of %v\n", api)
+}
+
+func TestSetApiLevel(t *testing.T) {
+	var expectedApi uint
+
+	expectedApi = 1
+	err := SetApi(expectedApi)
+	if !ApiLevelIsSupported() {
+		if err == nil {
+			t.Errorf("No error returned despite lack of API level support")
+		}
+
+		t.Skipf("Skipping test: %s", err)
+	} else if err != nil {
+		t.Errorf("Error setting API level: %s", err)
+	}
+
+	api, err := GetApi()
+	if err != nil {
+		t.Errorf("Error getting API level: %s", err)
+	} else if api != expectedApi {
+		t.Errorf("Got API level %v: expected %v", api, expectedApi)
+	}
+}
+
 func TestActionSetReturnCode(t *testing.T) {
 	if ActInvalid.SetReturnCode(0x0010) != ActInvalid {
 		t.Errorf("Able to set a return code on invalid action!")