diff options
author | Pablo Correa Gómez <ablocorrea@hotmail.com> | 2021-04-28 15:19:19 +0200 |
---|---|---|
committer | Pablo Correa Gómez <ablocorrea@hotmail.com> | 2021-04-28 15:19:48 +0200 |
commit | 18cb17ffeb33195879730b2bc83e1a2c82310e6a (patch) | |
tree | 51a1d399ad0e97bf16d02a387841ee863ba8072d | |
parent | 4ca34fce08ffa9e29d0719e3e29383e9ffdb1572 (diff) | |
download | podman-18cb17ffeb33195879730b2bc83e1a2c82310e6a.tar.gz podman-18cb17ffeb33195879730b2bc83e1a2c82310e6a.tar.bz2 podman-18cb17ffeb33195879730b2bc83e1a2c82310e6a.zip |
Use seccomp_profile as default profile if defined in containers.conf
Edits `podman info` to provide the default seccomp profile
detected in the output
Signed-off-by: Pablo Correa Gómez <ablocorrea@hotmail.com>
-rw-r--r-- | libpod/define/info.go | 1 | ||||
-rw-r--r-- | libpod/info.go | 7 | ||||
-rw-r--r-- | libpod/util.go | 10 | ||||
-rw-r--r-- | test/e2e/containers_conf_test.go | 19 |
4 files changed, 36 insertions, 1 deletions
diff --git a/libpod/define/info.go b/libpod/define/info.go index 00146da48..87935be2d 100644 --- a/libpod/define/info.go +++ b/libpod/define/info.go @@ -17,6 +17,7 @@ type SecurityInfo struct { DefaultCapabilities string `json:"capabilities"` Rootless bool `json:"rootless"` SECCOMPEnabled bool `json:"seccompEnabled"` + SECCOMPProfilePath string `json:"seccompProfilePath"` SELinuxEnabled bool `json:"selinuxEnabled"` } diff --git a/libpod/info.go b/libpod/info.go index ef0c83a2a..7a28a4cf7 100644 --- a/libpod/info.go +++ b/libpod/info.go @@ -87,6 +87,12 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) { if err != nil { return nil, errors.Wrapf(err, "error getting hostname") } + + seccompProfilePath, err := DefaultSeccompPath() + if err != nil { + return nil, errors.Wrapf(err, "error getting Seccomp profile path") + } + info := define.HostInfo{ Arch: runtime.GOARCH, BuildahVersion: buildah.Version, @@ -106,6 +112,7 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) { DefaultCapabilities: strings.Join(r.config.Containers.DefaultCapabilities, ","), Rootless: rootless.IsRootless(), SECCOMPEnabled: seccomp.IsEnabled(), + SECCOMPProfilePath: seccompProfilePath, SELinuxEnabled: selinux.GetEnabled(), }, Slirp4NetNS: define.SlirpInfo{}, diff --git a/libpod/util.go b/libpod/util.go index b75c9179a..7f4a01f28 100644 --- a/libpod/util.go +++ b/libpod/util.go @@ -194,7 +194,15 @@ func programVersion(mountProgram string) (string, error) { // if it exists, first it checks OverrideSeccomp and then default. // If neither exist function returns "" func DefaultSeccompPath() (string, error) { - _, err := os.Stat(config.SeccompOverridePath) + def, err := config.Default() + if err != nil { + return "", err + } + if def.Containers.SeccompProfile != "" { + return def.Containers.SeccompProfile, nil + } + + _, err = os.Stat(config.SeccompOverridePath) if err == nil { return config.SeccompOverridePath, nil } diff --git a/test/e2e/containers_conf_test.go b/test/e2e/containers_conf_test.go index 803124de1..a354de3b2 100644 --- a/test/e2e/containers_conf_test.go +++ b/test/e2e/containers_conf_test.go @@ -353,4 +353,23 @@ var _ = Describe("Podman run", func() { Expect(session.ExitCode()).To(Equal(0)) Expect(session.OutputToString()).To(ContainSubstring("test")) }) + + It("podman info seccomp profile path", func() { + configPath := filepath.Join(podmanTest.TempDir, "containers.conf") + os.Setenv("CONTAINERS_CONF", configPath) + + profile := filepath.Join(podmanTest.TempDir, "seccomp.json") + containersConf := []byte(fmt.Sprintf("[containers]\nseccomp_profile=\"%s\"", profile)) + err = ioutil.WriteFile(configPath, containersConf, os.ModePerm) + Expect(err).To(BeNil()) + + if IsRemote() { + podmanTest.RestartRemoteService() + } + + session := podmanTest.Podman([]string{"info", "--format", "{{.Host.Security.SECCOMPProfilePath}}"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Equal(profile)) + }) }) |