summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorValentin Rothberg <rothberg@redhat.com>2020-02-12 16:59:00 +0100
committerValentin Rothberg <rothberg@redhat.com>2020-02-12 17:10:18 +0100
commit65d10ffab338ab0142e6595a646dab42f64af7d2 (patch)
tree8d3ceed8ea268c909c886fcc8c7b6c2473634d71
parent62e20b6cd8bd62d3e0e79b19db9c837828ef8d96 (diff)
downloadpodman-65d10ffab338ab0142e6595a646dab42f64af7d2.tar.gz
podman-65d10ffab338ab0142e6595a646dab42f64af7d2.tar.bz2
podman-65d10ffab338ab0142e6595a646dab42f64af7d2.zip
add pkg/seccomp
Add pkg/seccomp to consolidate all seccomp-policy related code which is currently scattered across multiple packages and complicating the creatconfig refactoring. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
-rw-r--r--cmd/podman/shared/create.go9
-rw-r--r--pkg/seccomp/seccomp.go54
-rw-r--r--pkg/spec/config_linux_cgo.go11
-rw-r--r--pkg/spec/createconfig.go46
4 files changed, 65 insertions, 55 deletions
diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
index 3062b0ca3..e3a39a421 100644
--- a/cmd/podman/shared/create.go
+++ b/cmd/podman/shared/create.go
@@ -22,6 +22,7 @@ import (
"github.com/containers/libpod/pkg/inspect"
ns "github.com/containers/libpod/pkg/namespaces"
"github.com/containers/libpod/pkg/rootless"
+ "github.com/containers/libpod/pkg/seccomp"
cc "github.com/containers/libpod/pkg/spec"
"github.com/containers/libpod/pkg/util"
"github.com/docker/go-connections/nat"
@@ -31,10 +32,6 @@ import (
"github.com/sirupsen/logrus"
)
-// seccompLabelKey is the key of the image annotation embedding a seccomp
-// profile.
-const seccompLabelKey = "io.containers.seccomp.profile"
-
func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.Runtime) (*libpod.Container, *cc.CreateConfig, error) {
var (
healthCheck *manifest.Schema2HealthConfig
@@ -713,11 +710,11 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
// SECCOMP
if data != nil {
- if value, exists := labels[seccompLabelKey]; exists {
+ if value, exists := labels[seccomp.ContainerImageLabel]; exists {
secConfig.SeccompProfileFromImage = value
}
}
- if policy, err := cc.LookupSeccompPolicy(c.String("seccomp-policy")); err != nil {
+ if policy, err := seccomp.LookupPolicy(c.String("seccomp-policy")); err != nil {
return nil, err
} else {
secConfig.SeccompPolicy = policy
diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go
new file mode 100644
index 000000000..dcf255378
--- /dev/null
+++ b/pkg/seccomp/seccomp.go
@@ -0,0 +1,54 @@
+package seccomp
+
+import (
+ "sort"
+
+ "github.com/pkg/errors"
+)
+
+// ContianerImageLabel is the key of the image annotation embedding a seccomp
+// profile.
+const ContainerImageLabel = "io.containers.seccomp.profile"
+
+// Policy denotes a seccomp policy.
+type Policy int
+
+const (
+ // PolicyDefault - if set use SecurityConfig.SeccompProfilePath,
+ // otherwise use the default profile. The SeccompProfilePath might be
+ // explicitly set by the user.
+ PolicyDefault Policy = iota
+ // PolicyImage - if set use SecurityConfig.SeccompProfileFromImage,
+ // otherwise follow SeccompPolicyDefault.
+ PolicyImage
+)
+
+// Map for easy lookups of supported policies.
+var supportedPolicies = map[string]Policy{
+ "": PolicyDefault,
+ "default": PolicyDefault,
+ "image": PolicyImage,
+}
+
+// LookupPolicy looksup the corresponding Policy for the specified
+// string. If none is found, an errors is returned including the list of
+// supported policies.
+//
+// Note that an empty string resolved to SeccompPolicyDefault.
+func LookupPolicy(s string) (Policy, error) {
+ policy, exists := supportedPolicies[s]
+ if exists {
+ return policy, nil
+ }
+
+ // Sort the keys first as maps are non-deterministic.
+ keys := []string{}
+ for k := range supportedPolicies {
+ if k != "" {
+ keys = append(keys, k)
+ }
+ }
+ sort.Strings(keys)
+
+ return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys)
+}
diff --git a/pkg/spec/config_linux_cgo.go b/pkg/spec/config_linux_cgo.go
index ae83c9d52..05f42c4da 100644
--- a/pkg/spec/config_linux_cgo.go
+++ b/pkg/spec/config_linux_cgo.go
@@ -5,9 +5,10 @@ package createconfig
import (
"io/ioutil"
+ "github.com/containers/libpod/pkg/seccomp"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
- seccomp "github.com/seccomp/containers-golang"
+ goSeccomp "github.com/seccomp/containers-golang"
"github.com/sirupsen/logrus"
)
@@ -15,9 +16,9 @@ func getSeccompConfig(config *SecurityConfig, configSpec *spec.Spec) (*spec.Linu
var seccompConfig *spec.LinuxSeccomp
var err error
- if config.SeccompPolicy == SeccompPolicyImage && config.SeccompProfileFromImage != "" {
+ if config.SeccompPolicy == seccomp.PolicyImage && config.SeccompProfileFromImage != "" {
logrus.Debug("Loading seccomp profile from the security config")
- seccompConfig, err = seccomp.LoadProfile(config.SeccompProfileFromImage, configSpec)
+ seccompConfig, err = goSeccomp.LoadProfile(config.SeccompProfileFromImage, configSpec)
if err != nil {
return nil, errors.Wrap(err, "loading seccomp profile failed")
}
@@ -30,13 +31,13 @@ func getSeccompConfig(config *SecurityConfig, configSpec *spec.Spec) (*spec.Linu
if err != nil {
return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.SeccompProfilePath)
}
- seccompConfig, err = seccomp.LoadProfile(string(seccompProfile), configSpec)
+ seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec)
if err != nil {
return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
}
} else {
logrus.Debug("Loading default seccomp profile")
- seccompConfig, err = seccomp.GetDefaultProfile(configSpec)
+ seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec)
if err != nil {
return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
}
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index fb222083b..173dfb842 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -2,7 +2,6 @@ package createconfig
import (
"os"
- "sort"
"strconv"
"strings"
"syscall"
@@ -11,6 +10,7 @@ import (
"github.com/containers/libpod/libpod"
"github.com/containers/libpod/libpod/define"
"github.com/containers/libpod/pkg/namespaces"
+ "github.com/containers/libpod/pkg/seccomp"
"github.com/containers/storage"
"github.com/docker/go-connections/nat"
spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -107,48 +107,6 @@ type NetworkConfig struct {
PublishAll bool //publish-all
}
-// SeccompPolicy determines which seccomp profile gets applied to the container.
-type SeccompPolicy int
-
-const (
- // SeccompPolicyDefault - if set use SecurityConfig.SeccompProfilePath,
- // otherwise use the default profile. The SeccompProfilePath might be
- // explicitly set by the user.
- SeccompPolicyDefault SeccompPolicy = iota
- // SeccompPolicyImage - if set use SecurityConfig.SeccompProfileFromImage,
- // otherwise follow SeccompPolicyDefault.
- SeccompPolicyImage
-)
-
-// Map for easy lookups of supported policies.
-var supportedSeccompPolicies = map[string]SeccompPolicy{
- "": SeccompPolicyDefault,
- "default": SeccompPolicyDefault,
- "image": SeccompPolicyImage,
-}
-
-// LookupSeccompPolicy looksup the corresponding SeccompPolicy for the specified
-// string. If none is found, an errors is returned including the list of
-// supported policies.
-// Note that an empty string resolved to SeccompPolicyDefault.
-func LookupSeccompPolicy(s string) (SeccompPolicy, error) {
- policy, exists := supportedSeccompPolicies[s]
- if exists {
- return policy, nil
- }
-
- // Sort the keys first as maps are non-deterministic.
- keys := []string{}
- for k := range supportedSeccompPolicies {
- if k != "" {
- keys = append(keys, k)
- }
- }
- sort.Strings(keys)
-
- return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys)
-}
-
// SecurityConfig configures the security features for the container
type SecurityConfig struct {
CapAdd []string // cap-add
@@ -158,7 +116,7 @@ type SecurityConfig struct {
ApparmorProfile string //SecurityOpts
SeccompProfilePath string //SecurityOpts
SeccompProfileFromImage string // seccomp profile from the container image
- SeccompPolicy SeccompPolicy
+ SeccompPolicy seccomp.Policy
SecurityOpts []string
Privileged bool //privileged
ReadOnlyRootfs bool //read-only