summaryrefslogtreecommitdiff
path: root/cmd/podman
diff options
context:
space:
mode:
authorMatthew Heon <matthew.heon@gmail.com>2018-02-13 14:23:48 -0500
committerAtomic Bot <atomic-devel@projectatomic.io>2018-02-13 19:42:07 +0000
commit4a39327bc5a45ecec4837661dd6069f230c4e1e0 (patch)
treecd785bad3f08745ce6539f3dbccade60407493bc /cmd/podman
parent35e1ad78fbab93f9efcf5f6608e5bc5569277845 (diff)
downloadpodman-4a39327bc5a45ecec4837661dd6069f230c4e1e0.tar.gz
podman-4a39327bc5a45ecec4837661dd6069f230c4e1e0.tar.bz2
podman-4a39327bc5a45ecec4837661dd6069f230c4e1e0.zip
Disable default Seccomp profile with privileged containers
Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #326 Approved by: baude
Diffstat (limited to 'cmd/podman')
-rw-r--r--cmd/podman/spec.go5
1 files changed, 5 insertions, 0 deletions
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index 5206a4d36..3a2402d0e 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -330,6 +330,11 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
}
}
+ // Clear default Seccomp profile from Generator for privileged containers
+ if config.SeccompProfilePath == "unconfined" || config.Privileged {
+ configSpec.Linux.Seccomp = nil
+ }
+
// BIND MOUNTS
mounts, err := config.GetVolumeMounts()
if err != nil {