aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2021-04-28 15:40:30 -0400
committerGitHub <noreply@github.com>2021-04-28 15:40:30 -0400
commitdb67fedcbd1fcaf06d0d6655face5182ccd0cc87 (patch)
treef3bd173fc406903531cd451b3155720194fa2272
parent928dce57dfb11c110801547b9852aa4f87e37bb4 (diff)
parent18cb17ffeb33195879730b2bc83e1a2c82310e6a (diff)
downloadpodman-db67fedcbd1fcaf06d0d6655face5182ccd0cc87.tar.gz
podman-db67fedcbd1fcaf06d0d6655face5182ccd0cc87.tar.bz2
podman-db67fedcbd1fcaf06d0d6655face5182ccd0cc87.zip
Merge pull request #10155 from pablofsf/fix-default-seccomp
Use seccomp_profile as default profile if defined in containers.conf
-rw-r--r--libpod/define/info.go1
-rw-r--r--libpod/info.go7
-rw-r--r--libpod/util.go10
-rw-r--r--test/e2e/containers_conf_test.go19
4 files changed, 36 insertions, 1 deletions
diff --git a/libpod/define/info.go b/libpod/define/info.go
index 00146da48..87935be2d 100644
--- a/libpod/define/info.go
+++ b/libpod/define/info.go
@@ -17,6 +17,7 @@ type SecurityInfo struct {
DefaultCapabilities string `json:"capabilities"`
Rootless bool `json:"rootless"`
SECCOMPEnabled bool `json:"seccompEnabled"`
+ SECCOMPProfilePath string `json:"seccompProfilePath"`
SELinuxEnabled bool `json:"selinuxEnabled"`
}
diff --git a/libpod/info.go b/libpod/info.go
index ef0c83a2a..7a28a4cf7 100644
--- a/libpod/info.go
+++ b/libpod/info.go
@@ -87,6 +87,12 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) {
if err != nil {
return nil, errors.Wrapf(err, "error getting hostname")
}
+
+ seccompProfilePath, err := DefaultSeccompPath()
+ if err != nil {
+ return nil, errors.Wrapf(err, "error getting Seccomp profile path")
+ }
+
info := define.HostInfo{
Arch: runtime.GOARCH,
BuildahVersion: buildah.Version,
@@ -106,6 +112,7 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) {
DefaultCapabilities: strings.Join(r.config.Containers.DefaultCapabilities, ","),
Rootless: rootless.IsRootless(),
SECCOMPEnabled: seccomp.IsEnabled(),
+ SECCOMPProfilePath: seccompProfilePath,
SELinuxEnabled: selinux.GetEnabled(),
},
Slirp4NetNS: define.SlirpInfo{},
diff --git a/libpod/util.go b/libpod/util.go
index b75c9179a..7f4a01f28 100644
--- a/libpod/util.go
+++ b/libpod/util.go
@@ -194,7 +194,15 @@ func programVersion(mountProgram string) (string, error) {
// if it exists, first it checks OverrideSeccomp and then default.
// If neither exist function returns ""
func DefaultSeccompPath() (string, error) {
- _, err := os.Stat(config.SeccompOverridePath)
+ def, err := config.Default()
+ if err != nil {
+ return "", err
+ }
+ if def.Containers.SeccompProfile != "" {
+ return def.Containers.SeccompProfile, nil
+ }
+
+ _, err = os.Stat(config.SeccompOverridePath)
if err == nil {
return config.SeccompOverridePath, nil
}
diff --git a/test/e2e/containers_conf_test.go b/test/e2e/containers_conf_test.go
index 803124de1..a354de3b2 100644
--- a/test/e2e/containers_conf_test.go
+++ b/test/e2e/containers_conf_test.go
@@ -353,4 +353,23 @@ var _ = Describe("Podman run", func() {
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring("test"))
})
+
+ It("podman info seccomp profile path", func() {
+ configPath := filepath.Join(podmanTest.TempDir, "containers.conf")
+ os.Setenv("CONTAINERS_CONF", configPath)
+
+ profile := filepath.Join(podmanTest.TempDir, "seccomp.json")
+ containersConf := []byte(fmt.Sprintf("[containers]\nseccomp_profile=\"%s\"", profile))
+ err = ioutil.WriteFile(configPath, containersConf, os.ModePerm)
+ Expect(err).To(BeNil())
+
+ if IsRemote() {
+ podmanTest.RestartRemoteService()
+ }
+
+ session := podmanTest.Podman([]string{"info", "--format", "{{.Host.Security.SECCOMPProfilePath}}"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(Equal(profile))
+ })
})