diff options
author | Valentin Rothberg <rothberg@redhat.com> | 2020-02-12 16:59:00 +0100 |
---|---|---|
committer | Valentin Rothberg <rothberg@redhat.com> | 2020-02-12 17:10:18 +0100 |
commit | 65d10ffab338ab0142e6595a646dab42f64af7d2 (patch) | |
tree | 8d3ceed8ea268c909c886fcc8c7b6c2473634d71 /pkg/seccomp/seccomp.go | |
parent | 62e20b6cd8bd62d3e0e79b19db9c837828ef8d96 (diff) | |
download | podman-65d10ffab338ab0142e6595a646dab42f64af7d2.tar.gz podman-65d10ffab338ab0142e6595a646dab42f64af7d2.tar.bz2 podman-65d10ffab338ab0142e6595a646dab42f64af7d2.zip |
add pkg/seccomp
Add pkg/seccomp to consolidate all seccomp-policy related code which is
currently scattered across multiple packages and complicating the
creatconfig refactoring.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'pkg/seccomp/seccomp.go')
-rw-r--r-- | pkg/seccomp/seccomp.go | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go new file mode 100644 index 000000000..dcf255378 --- /dev/null +++ b/pkg/seccomp/seccomp.go @@ -0,0 +1,54 @@ +package seccomp + +import ( + "sort" + + "github.com/pkg/errors" +) + +// ContianerImageLabel is the key of the image annotation embedding a seccomp +// profile. +const ContainerImageLabel = "io.containers.seccomp.profile" + +// Policy denotes a seccomp policy. +type Policy int + +const ( + // PolicyDefault - if set use SecurityConfig.SeccompProfilePath, + // otherwise use the default profile. The SeccompProfilePath might be + // explicitly set by the user. + PolicyDefault Policy = iota + // PolicyImage - if set use SecurityConfig.SeccompProfileFromImage, + // otherwise follow SeccompPolicyDefault. + PolicyImage +) + +// Map for easy lookups of supported policies. +var supportedPolicies = map[string]Policy{ + "": PolicyDefault, + "default": PolicyDefault, + "image": PolicyImage, +} + +// LookupPolicy looksup the corresponding Policy for the specified +// string. If none is found, an errors is returned including the list of +// supported policies. +// +// Note that an empty string resolved to SeccompPolicyDefault. +func LookupPolicy(s string) (Policy, error) { + policy, exists := supportedPolicies[s] + if exists { + return policy, nil + } + + // Sort the keys first as maps are non-deterministic. + keys := []string{} + for k := range supportedPolicies { + if k != "" { + keys = append(keys, k) + } + } + sort.Strings(keys) + + return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys) +} |