summaryrefslogtreecommitdiff
path: root/cmd/kpod/spec.go
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2017-11-03 14:46:51 +0000
committerAtomic Bot <atomic-devel@projectatomic.io>2017-11-03 20:55:10 +0000
commit098389dc3e7bbba7c266ad24c909f3a5422e2908 (patch)
tree6b060ab5edc032bf63acb37489241b788c0f9381 /cmd/kpod/spec.go
parent79a26cbd6dc5bff97726c4280db45362ddc83881 (diff)
downloadpodman-098389dc3e7bbba7c266ad24c909f3a5422e2908.tar.gz
podman-098389dc3e7bbba7c266ad24c909f3a5422e2908.tar.bz2
podman-098389dc3e7bbba7c266ad24c909f3a5422e2908.zip
Parse SecurityOpts
This should turn on handling of SELinux, NoNewPrivs, seccomp and Apparmor Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #15 Approved by: rhatdan
Diffstat (limited to 'cmd/kpod/spec.go')
-rw-r--r--cmd/kpod/spec.go23
1 files changed, 19 insertions, 4 deletions
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go
index b6fb8b128..d30c0d1a5 100644
--- a/cmd/kpod/spec.go
+++ b/cmd/kpod/spec.go
@@ -1,7 +1,9 @@
package main
import (
+ "encoding/json"
"fmt"
+ "io/ioutil"
"strings"
spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -91,16 +93,30 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
configSpec.Linux.Resources.Pids.Limit = config.resources.pidsLimit
}
+ // SECURITY OPTS
+ configSpec.Process.NoNewPrivileges = config.noNewPrivileges
+ configSpec.Process.ApparmorProfile = config.apparmorProfile
+ configSpec.Process.SelinuxLabel = config.processLabel
+ configSpec.Linux.MountLabel = config.mountLabel
+ if config.seccompProfilePath != "" && config.seccompProfilePath != "unconfined" {
+ seccompProfile, err := ioutil.ReadFile(config.seccompProfilePath)
+ if err != nil {
+ return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.seccompProfilePath)
+ }
+ var seccompConfig spec.LinuxSeccomp
+ if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil {
+ return nil, errors.Wrapf(err, "decoding seccomp profile (%s) failed", config.seccompProfilePath)
+ }
+ configSpec.Linux.Seccomp = &seccompConfig
+ }
+
/*
Capabilities: &configSpec.LinuxCapabilities{
// Rlimits []PosixRlimit // Where does this come from
// Type string
// Hard uint64
// Limit uint64
- // NoNewPrivileges bool // No user input for this
- // ApparmorProfile string // No user input for this
OOMScoreAdj: &config.resources.oomScoreAdj,
- // Selinuxlabel
},
Hooks: &configSpec.Hooks{},
//Annotations
@@ -116,7 +132,6 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
//CgroupsPath:
//Namespaces: []LinuxNamespace
//Devices
- Seccomp: &configSpec.LinuxSeccomp{
// DefaultAction:
// Architectures
// Syscalls: