summaryrefslogtreecommitdiff
path: root/cmd/podman
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2018-01-17 11:03:07 -0500
committerAtomic Bot <atomic-devel@projectatomic.io>2018-01-18 12:26:43 +0000
commit0d69ca6637b30a3370529b3e272f27f6fafdb0c3 (patch)
treed6a69ad97b497eb5304c3a5b516a6056f4c85460 /cmd/podman
parent0befd8dafd116ea5f231f5b360b500be08c39297 (diff)
downloadpodman-0d69ca6637b30a3370529b3e272f27f6fafdb0c3.tar.gz
podman-0d69ca6637b30a3370529b3e272f27f6fafdb0c3.tar.bz2
podman-0d69ca6637b30a3370529b3e272f27f6fafdb0c3.zip
Fix seccomp support
If user does not specify seccomp file or seccomp file does not exist, then use the default seccomp settings. Still need to not hard code /etc/crio/seccomp.json, should move this to /usr/share/seccomp/seccomp.json Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #233 Approved by: baude
Diffstat (limited to 'cmd/podman')
-rw-r--r--cmd/podman/create.go17
-rw-r--r--cmd/podman/run_test.go38
-rw-r--r--cmd/podman/spec.go40
3 files changed, 66 insertions, 29 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index 7ee364fab..262be129c 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -218,8 +218,6 @@ func createCmd(c *cli.Context) error {
return nil
}
-const seccompDefaultPath = "/etc/crio/seccomp.json"
-
func parseSecurityOpt(config *createConfig, securityOpts []string) error {
var (
labelOpts []string
@@ -269,12 +267,19 @@ func parseSecurityOpt(config *createConfig, securityOpts []string) error {
}
if config.SeccompProfilePath == "" {
- if _, err := os.Stat(seccompDefaultPath); err != nil {
+ if _, err := os.Stat(libpod.SeccompOverridePath); err == nil {
+ config.SeccompProfilePath = libpod.SeccompOverridePath
+ } else {
if !os.IsNotExist(err) {
- return errors.Wrapf(err, "can't check if %q exists", seccompDefaultPath)
+ return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompOverridePath)
+ }
+ if _, err := os.Stat(libpod.SeccompDefaultPath); err != nil {
+ if !os.IsNotExist(err) {
+ return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompDefaultPath)
+ }
+ } else {
+ config.SeccompProfilePath = libpod.SeccompDefaultPath
}
- } else {
- config.SeccompProfilePath = seccompDefaultPath
}
}
config.ProcessLabel, config.MountLabel, err = label.InitLabels(labelOpts)
diff --git a/cmd/podman/run_test.go b/cmd/podman/run_test.go
index f083b39af..b82df86db 100644
--- a/cmd/podman/run_test.go
+++ b/cmd/podman/run_test.go
@@ -66,11 +66,24 @@ func createCLI() cli.App {
return a
}
-func getRuntimeSpec(c *cli.Context) *spec.Spec {
- runtime, _ := getRuntime(c)
- createConfig, _ := parseCreateOpts(c, runtime, "alpine", generateAlpineImageData())
- runtimeSpec, _ := createConfigToOCISpec(createConfig)
- return runtimeSpec
+func getRuntimeSpec(c *cli.Context) (*spec.Spec, error) {
+ /*
+ TODO: This test has never worked. Need to install content
+ runtime, err := getRuntime(c)
+ if err != nil {
+ return nil, err
+ }
+ createConfig, err := parseCreateOpts(c, runtime, "alpine", generateAlpineImageData())
+ */
+ createConfig, err := parseCreateOpts(c, nil, "alpine", generateAlpineImageData())
+ if err != nil {
+ return nil, err
+ }
+ runtimeSpec, err := createConfigToOCISpec(createConfig)
+ if err != nil {
+ return nil, err
+ }
+ return runtimeSpec, nil
}
// TestPIDsLimit verifies the inputed pid-limit is correctly defined in the spec
@@ -78,7 +91,10 @@ func TestPIDsLimit(t *testing.T) {
a := createCLI()
args := []string{"--pids-limit", "22"}
a.Run(append(cmd, args...))
- runtimeSpec := getRuntimeSpec(CLI)
+ runtimeSpec, err := getRuntimeSpec(CLI)
+ if err != nil {
+ t.Fatalf(err.Error())
+ }
assert.Equal(t, runtimeSpec.Linux.Resources.Pids.Limit, int64(22))
}
@@ -87,7 +103,10 @@ func TestBLKIOWeightDevice(t *testing.T) {
a := createCLI()
args := []string{"--blkio-weight-device", "/dev/sda:100"}
a.Run(append(cmd, args...))
- runtimeSpec := getRuntimeSpec(CLI)
+ runtimeSpec, err := getRuntimeSpec(CLI)
+ if err != nil {
+ t.Fatalf(err.Error())
+ }
assert.Equal(t, *runtimeSpec.Linux.Resources.BlockIO.WeightDevice[0].Weight, uint16(100))
}
@@ -96,7 +115,10 @@ func TestMemorySwap(t *testing.T) {
a := createCLI()
args := []string{"--memory-swap", "45m", "--memory", "40m"}
a.Run(append(cmd, args...))
- runtimeSpec := getRuntimeSpec(CLI)
+ runtimeSpec, err := getRuntimeSpec(CLI)
+ if err != nil {
+ t.Fatalf(err.Error())
+ }
mem, _ := units.RAMInBytes("45m")
assert.Equal(t, *runtimeSpec.Linux.Resources.Memory.Swap, mem)
}
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index df1c54d50..59ea5685a 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -1,13 +1,13 @@
package main
import (
- "encoding/json"
"io/ioutil"
"strings"
"github.com/cri-o/ocicni/pkg/ocicni"
"github.com/docker/docker/daemon/caps"
"github.com/docker/docker/pkg/mount"
+ "github.com/docker/docker/profiles/seccomp"
"github.com/docker/go-units"
"github.com/opencontainers/runc/libcontainer/devices"
spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -290,16 +290,31 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
}
configSpec := g.Spec()
- if config.SeccompProfilePath != "" && config.SeccompProfilePath != "unconfined" {
- seccompProfile, err := ioutil.ReadFile(config.SeccompProfilePath)
- if err != nil {
- return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.SeccompProfilePath)
- }
- var seccompConfig spec.LinuxSeccomp
- if err := json.Unmarshal(seccompProfile, &seccompConfig); err != nil {
- return nil, errors.Wrapf(err, "decoding seccomp profile (%s) failed", config.SeccompProfilePath)
+ // HANDLE CAPABILITIES
+ // NOTE: Must happen before SECCOMP
+ if err := setupCapabilities(config, configSpec); err != nil {
+ return nil, err
+ }
+
+ // HANDLE SECCOMP
+ if config.SeccompProfilePath != "unconfined" {
+ if config.SeccompProfilePath != "" {
+ seccompProfile, err := ioutil.ReadFile(config.SeccompProfilePath)
+ if err != nil {
+ return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.SeccompProfilePath)
+ }
+ seccompConfig, err := seccomp.LoadProfile(string(seccompProfile), configSpec)
+ if err != nil {
+ return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
+ }
+ configSpec.Linux.Seccomp = seccompConfig
+ } else {
+ seccompConfig, err := seccomp.GetDefaultProfile(configSpec)
+ if err != nil {
+ return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
+ }
+ configSpec.Linux.Seccomp = seccompConfig
}
- configSpec.Linux.Seccomp = &seccompConfig
}
// BIND MOUNTS
@@ -319,11 +334,6 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
}
}
- // HANDLE CAPABILITIES
- if err := setupCapabilities(config, configSpec); err != nil {
- return nil, err
- }
-
// BLOCK IO
blkio, err := config.CreateBlockIO()
if err != nil {