diff options
author | Matthew Heon <matthew.heon@gmail.com> | 2018-02-13 14:23:48 -0500 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-02-13 19:42:07 +0000 |
commit | 4a39327bc5a45ecec4837661dd6069f230c4e1e0 (patch) | |
tree | cd785bad3f08745ce6539f3dbccade60407493bc /cmd/podman | |
parent | 35e1ad78fbab93f9efcf5f6608e5bc5569277845 (diff) | |
download | podman-4a39327bc5a45ecec4837661dd6069f230c4e1e0.tar.gz podman-4a39327bc5a45ecec4837661dd6069f230c4e1e0.tar.bz2 podman-4a39327bc5a45ecec4837661dd6069f230c4e1e0.zip |
Disable default Seccomp profile with privileged containers
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #326
Approved by: baude
Diffstat (limited to 'cmd/podman')
-rw-r--r-- | cmd/podman/spec.go | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go index 5206a4d36..3a2402d0e 100644 --- a/cmd/podman/spec.go +++ b/cmd/podman/spec.go @@ -330,6 +330,11 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { } } + // Clear default Seccomp profile from Generator for privileged containers + if config.SeccompProfilePath == "unconfined" || config.Privileged { + configSpec.Linux.Seccomp = nil + } + // BIND MOUNTS mounts, err := config.GetVolumeMounts() if err != nil { |