Disable default Seccomp profile with privileged containers

Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #326 Approved by: baude
author: Matthew Heon <matthew.heon@gmail.com> 2018-02-13 14:23:48 -0500
committer: Atomic Bot <atomic-devel@projectatomic.io> 2018-02-13 19:42:07 +0000
commit: 4a39327bc5a45ecec4837661dd6069f230c4e1e0 (patch)
tree: cd785bad3f08745ce6539f3dbccade60407493bc
parent: 35e1ad78fbab93f9efcf5f6608e5bc5569277845 (diff)
download: podman-4a39327bc5a45ecec4837661dd6069f230c4e1e0.tar.gz
podman-4a39327bc5a45ecec4837661dd6069f230c4e1e0.tar.bz2
podman-4a39327bc5a45ecec4837661dd6069f230c4e1e0.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index 5206a4d36..3a2402d0e 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -330,6 +330,11 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 		}
 	}
 
+	// Clear default Seccomp profile from Generator for privileged containers
+	if config.SeccompProfilePath == "unconfined" || config.Privileged {
+		configSpec.Linux.Seccomp = nil
+	}
+
 	// BIND MOUNTS
 	mounts, err := config.GetVolumeMounts()
 	if err != nil {
author	Matthew Heon <matthew.heon@gmail.com>	2018-02-13 14:23:48 -0500
committer	Atomic Bot <atomic-devel@projectatomic.io>	2018-02-13 19:42:07 +0000
commit	4a39327bc5a45ecec4837661dd6069f230c4e1e0 (patch)
tree	cd785bad3f08745ce6539f3dbccade60407493bc
parent	35e1ad78fbab93f9efcf5f6608e5bc5569277845 (diff)
download	podman-4a39327bc5a45ecec4837661dd6069f230c4e1e0.tar.gz podman-4a39327bc5a45ecec4837661dd6069f230c4e1e0.tar.bz2 podman-4a39327bc5a45ecec4837661dd6069f230c4e1e0.zip