summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorValentin Rothberg <rothberg@redhat.com>2020-01-23 10:04:18 +0100
committerValentin Rothberg <rothberg@redhat.com>2020-01-23 10:06:43 +0100
commit1531509542194bf7800621b4b7a6071f53961dab (patch)
tree35427fbd19858ab4f28cd8a56ee13bacaa14757d
parentac3a6b80b0ccd2f9592110811ccf6fd844110b9e (diff)
downloadpodman-1531509542194bf7800621b4b7a6071f53961dab.tar.gz
podman-1531509542194bf7800621b4b7a6071f53961dab.tar.bz2
podman-1531509542194bf7800621b4b7a6071f53961dab.zip
seccomp policy: expect profile in config label
Move the seccomp profile from a manifest annotation to a config label. This way, we can support it for Docker images as well and provide an easy way to add that data via Dockerfiles. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
-rw-r--r--cmd/podman/shared/create.go6
-rw-r--r--docs/source/markdown/podman-create.1.md2
-rw-r--r--docs/source/markdown/podman-run.1.md2
-rw-r--r--test/e2e/config.go4
4 files changed, 7 insertions, 7 deletions
diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
index 15d6bddbb..2f637694b 100644
--- a/cmd/podman/shared/create.go
+++ b/cmd/podman/shared/create.go
@@ -31,9 +31,9 @@ import (
"github.com/sirupsen/logrus"
)
-// seccompAnnotationKey is the key of the image annotation embedding a seccomp
+// seccompLabelKey is the key of the image annotation embedding a seccomp
// profile.
-const seccompAnnotationKey = "io.containers.seccomp.profile"
+const seccompLabelKey = "io.containers.seccomp.profile"
func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.Runtime) (*libpod.Container, *cc.CreateConfig, error) {
var (
@@ -709,7 +709,7 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
// SECCOMP
if data != nil {
- if value, exists := data.Annotations[seccompAnnotationKey]; exists {
+ if value, exists := labels[seccompLabelKey]; exists {
secConfig.SeccompProfileFromImage = value
}
}
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index 7f0c2260c..0e641f3a3 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -679,7 +679,7 @@ of the container is assumed to be managed externally.
**--seccomp-policy**=*policy*
-Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.podman.seccomp.profile" annotation in the container image and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below.
+Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.podman.seccomp.profile" label in the container-image config and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below.
Note that this feature is experimental and may change in the future.
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index 2b1452b53..512a382a6 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -700,7 +700,7 @@ Note: On `SELinux` systems, the rootfs needs the correct label, which is by defa
**--seccomp-policy**=*policy*
-Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.podman.seccomp.profile" annotation in the container image and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below.
+Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.podman.seccomp.profile" label in the container-image config and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below.
Note that this feature is experimental and may change in the future.
diff --git a/test/e2e/config.go b/test/e2e/config.go
index 12d0e545e..96cc157be 100644
--- a/test/e2e/config.go
+++ b/test/e2e/config.go
@@ -19,8 +19,8 @@ var (
// The intention behind blocking all syscalls is to prevent
// regressions in the future. The required syscalls can vary
// depending on which runtime we're using.
- alpineSeccomp = "docker.io/libpod/alpine-with-seccomp:latest"
+ alpineSeccomp = "docker.io/libpod/alpine-with-seccomp:label"
// This image has a bogus/invalid seccomp profile which should
// yield a json error when being read.
- alpineBogusSeccomp = "docker.io/libpod/alpine-with-bogus-seccomp:latest"
+ alpineBogusSeccomp = "docker.io/libpod/alpine-with-bogus-seccomp:label"
)