diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2018-01-17 11:03:07 -0500 |
|---|---|---|
| committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-01-18 12:26:43 +0000 |
| commit | 0d69ca6637b30a3370529b3e272f27f6fafdb0c3 (patch) | |
| tree | d6a69ad97b497eb5304c3a5b516a6056f4c85460 /cmd/podman/spec.go | |
| parent | 0befd8dafd116ea5f231f5b360b500be08c39297 (diff) | |
| download | podman-0d69ca6637b30a3370529b3e272f27f6fafdb0c3.tar.gz podman-0d69ca6637b30a3370529b3e272f27f6fafdb0c3.tar.bz2 podman-0d69ca6637b30a3370529b3e272f27f6fafdb0c3.zip | |
Fix seccomp support
If user does not specify seccomp file or seccomp file does not exist,
then use the default seccomp settings.
Still need to not hard code /etc/crio/seccomp.json, should move this to
/usr/share/seccomp/seccomp.json
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #233
Approved by: baude
Diffstat (limited to 'cmd/podman/spec.go')
| -rw-r--r-- | cmd/podman/spec.go | 40 |
1 files changed, 25 insertions, 15 deletions
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go index df1c54d50..59ea5685a 100644 --- a/cmd/podman/spec.go +++ b/cmd/podman/spec.go @@ -1,13 +1,13 @@ package main import ( - "encoding/json" "io/ioutil" "strings" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/docker/docker/daemon/caps" "github.com/docker/docker/pkg/mount" + "github.com/docker/docker/profiles/seccomp" "github.com/docker/go-units" "github.com/opencontainers/runc/libcontainer/devices" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -290,16 +290,31 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { } configSpec := g.Spec() - if config.SeccompProfilePath != "" && config.SeccompProfilePath != "unconfined" { - seccompProfile, err := ioutil.ReadFile(config.SeccompProfilePath) - if err != nil { - return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.SeccompProfilePath) - } - var seccompConfig spec.LinuxSeccomp - if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil { - return nil, errors.Wrapf(err, "decoding seccomp profile (%s) failed", config.SeccompProfilePath) + // HANDLE CAPABILITIES + // NOTE: Must happen before SECCOMP + if err := setupCapabilities(config, configSpec); err != nil { + return nil, err + } + + // HANDLE SECCOMP + if config.SeccompProfilePath != "unconfined" { + if config.SeccompProfilePath != "" { + seccompProfile, err := ioutil.ReadFile(config.SeccompProfilePath) + if err != nil { + return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.SeccompProfilePath) + } + seccompConfig, err := seccomp.LoadProfile(string(seccompProfile), configSpec) + if err != nil { + return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath) + } + configSpec.Linux.Seccomp = seccompConfig + } else { + seccompConfig, err := seccomp.GetDefaultProfile(configSpec) + if err != nil { + return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath) + } + configSpec.Linux.Seccomp = seccompConfig } - configSpec.Linux.Seccomp = &seccompConfig } // BIND MOUNTS @@ -319,11 +334,6 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { } } - // HANDLE CAPABILITIES - if err := setupCapabilities(config, configSpec); err != nil { - return nil, err - } - // BLOCK IO blkio, err := config.CreateBlockIO() if err != nil { |