Parse SecurityOpts

This should turn on handling of SELinux, NoNewPrivs, seccomp and Apparmor Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #15 Approved by: rhatdan
author: Daniel J Walsh <dwalsh@redhat.com> 2017-11-03 14:46:51 +0000
committer: Atomic Bot <atomic-devel@projectatomic.io> 2017-11-03 20:55:10 +0000
commit: 098389dc3e7bbba7c266ad24c909f3a5422e2908 (patch)
tree: 6b060ab5edc032bf63acb37489241b788c0f9381 /cmd/kpod/spec.go
parent: 79a26cbd6dc5bff97726c4280db45362ddc83881 (diff)
download: podman-098389dc3e7bbba7c266ad24c909f3a5422e2908.tar.gz
podman-098389dc3e7bbba7c266ad24c909f3a5422e2908.tar.bz2
podman-098389dc3e7bbba7c266ad24c909f3a5422e2908.zip
1 files changed, 19 insertions, 4 deletions
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go
index b6fb8b128..d30c0d1a5 100644
--- a/cmd/kpod/spec.go
+++ b/cmd/kpod/spec.go
@@ -1,7 +1,9 @@
 package main
 
 import (
+	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"strings"
 
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -91,16 +93,30 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 		configSpec.Linux.Resources.Pids.Limit = config.resources.pidsLimit
 	}
 
+	// SECURITY OPTS
+	configSpec.Process.NoNewPrivileges = config.noNewPrivileges
+	configSpec.Process.ApparmorProfile = config.apparmorProfile
+	configSpec.Process.SelinuxLabel = config.processLabel
+	configSpec.Linux.MountLabel = config.mountLabel
+	if config.seccompProfilePath != "" && config.seccompProfilePath != "unconfined" {
+		seccompProfile, err := ioutil.ReadFile(config.seccompProfilePath)
+		if err != nil {
+			return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.seccompProfilePath)
+		}
+		var seccompConfig spec.LinuxSeccomp
+		if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil {
+			return nil, errors.Wrapf(err, "decoding seccomp profile (%s) failed", config.seccompProfilePath)
+		}
+		configSpec.Linux.Seccomp = &seccompConfig
+	}
+
 	/*
 				Capabilities: &configSpec.LinuxCapabilities{
 				// Rlimits []PosixRlimit // Where does this come from
 				// Type string
 				// Hard uint64
 				// Limit uint64
-				// NoNewPrivileges bool // No user input for this
-				// ApparmorProfile string // No user input for this
 				OOMScoreAdj: &config.resources.oomScoreAdj,
-				// Selinuxlabel
 			},
 			Hooks: &configSpec.Hooks{},
 			//Annotations
@@ -116,7 +132,6 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 				//CgroupsPath:
 				//Namespaces: []LinuxNamespace
 				//Devices
-				Seccomp: &configSpec.LinuxSeccomp{
 				// DefaultAction:
 				// Architectures
 				// Syscalls:
author	Daniel J Walsh <dwalsh@redhat.com>	2017-11-03 14:46:51 +0000
committer	Atomic Bot <atomic-devel@projectatomic.io>	2017-11-03 20:55:10 +0000
commit	098389dc3e7bbba7c266ad24c909f3a5422e2908 (patch)
tree	6b060ab5edc032bf63acb37489241b788c0f9381 /cmd/kpod/spec.go
parent	79a26cbd6dc5bff97726c4280db45362ddc83881 (diff)
download	podman-098389dc3e7bbba7c266ad24c909f3a5422e2908.tar.gz podman-098389dc3e7bbba7c266ad24c909f3a5422e2908.tar.bz2 podman-098389dc3e7bbba7c266ad24c909f3a5422e2908.zip