Allow specifying seccomp profiles for privileged containers

To sync the behavior between AppArmor and seccomp it is now possible to
also specify seccomp profiles for privileged containers.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>

2 files changed, 30 insertions, 5 deletions

diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index fcd1622f9..840dcb72d 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -158,8 +158,9 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 		configSpec.Linux.Seccomp = seccompConfig
 	}
 
-	// Clear default Seccomp profile from Generator for privileged containers
-	if s.SeccompProfilePath == "unconfined" || s.Privileged {
+	// Clear default Seccomp profile from Generator for unconfined containers
+	// and privileged containers which do not specify a seccomp profile.
+	if s.SeccompProfilePath == "unconfined" || (s.Privileged && (s.SeccompProfilePath == config.SeccompOverridePath || s.SeccompProfilePath == config.SeccompDefaultPath)) {
 		configSpec.Linux.Seccomp = nil
 	}
 
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 95eecd042..13f0db550 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -183,22 +183,46 @@ var _ = Describe("Podman run", func() {
 		Expect(conData[0].Config.Annotations["io.podman.annotations.init"]).To(Equal("FALSE"))
 	})
 
-	It("podman run seccomp test", func() {
-
+	forbidGetCWDSeccompProfile := func() string {
 		in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
 		jsonFile, err := podmanTest.CreateSeccompJson(in)
 		if err != nil {
 			fmt.Println(err)
 			Skip("Failed to prepare seccomp.json for test.")
 		}
+		return jsonFile
+	}
+
+	It("podman run seccomp test", func() {
+		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(ExitWithError())
+		match, _ := session.GrepString("Operation not permitted")
+		Expect(match).Should(BeTrue())
+	})
 
-		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", jsonFile}, ""), ALPINE, "pwd"})
+	It("podman run seccomp test --privileged", func() {
+		session := podmanTest.Podman([]string{"run", "-it", "--privileged", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).To(ExitWithError())
 		match, _ := session.GrepString("Operation not permitted")
 		Expect(match).Should(BeTrue())
 	})
 
+	It("podman run seccomp test --privileged no profile should be unconfined", func() {
+		session := podmanTest.Podman([]string{"run", "-it", "--privileged", ALPINE, "grep", "Seccomp", "/proc/self/status"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.OutputToString()).To(ContainSubstring("0"))
+		Expect(session.ExitCode()).To(Equal(0))
+	})
+
+	It("podman run seccomp test no profile should be default", func() {
+		session := podmanTest.Podman([]string{"run", "-it", ALPINE, "grep", "Seccomp", "/proc/self/status"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.OutputToString()).To(ContainSubstring("2"))
+		Expect(session.ExitCode()).To(Equal(0))
+	})
+
 	It("podman run capabilities test", func() {
 		session := podmanTest.Podman([]string{"run", "--rm", "--cap-add", "all", ALPINE, "cat", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()