summaryrefslogtreecommitdiff
path: root/pkg/seccomp
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2020-02-12 19:13:23 +0100
committerGitHub <noreply@github.com>2020-02-12 19:13:23 +0100
commite74ad3596393a476b7e233da736a610ef19bc4a1 (patch)
tree0bfa9cbe917eaf51bb9be70b5e74d0e80af4910a /pkg/seccomp
parentdd5df42be94ee6df9351a45eea563df146e9212e (diff)
parent65d10ffab338ab0142e6595a646dab42f64af7d2 (diff)
downloadpodman-e74ad3596393a476b7e233da736a610ef19bc4a1.tar.gz
podman-e74ad3596393a476b7e233da736a610ef19bc4a1.tar.bz2
podman-e74ad3596393a476b7e233da736a610ef19bc4a1.zip
Merge pull request #5187 from vrothberg/pkg-seccomp
add pkg/seccomp
Diffstat (limited to 'pkg/seccomp')
-rw-r--r--pkg/seccomp/seccomp.go54
1 files changed, 54 insertions, 0 deletions
diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go
new file mode 100644
index 000000000..dcf255378
--- /dev/null
+++ b/pkg/seccomp/seccomp.go
@@ -0,0 +1,54 @@
+package seccomp
+
+import (
+ "sort"
+
+ "github.com/pkg/errors"
+)
+
+// ContianerImageLabel is the key of the image annotation embedding a seccomp
+// profile.
+const ContainerImageLabel = "io.containers.seccomp.profile"
+
+// Policy denotes a seccomp policy.
+type Policy int
+
+const (
+ // PolicyDefault - if set use SecurityConfig.SeccompProfilePath,
+ // otherwise use the default profile. The SeccompProfilePath might be
+ // explicitly set by the user.
+ PolicyDefault Policy = iota
+ // PolicyImage - if set use SecurityConfig.SeccompProfileFromImage,
+ // otherwise follow SeccompPolicyDefault.
+ PolicyImage
+)
+
+// Map for easy lookups of supported policies.
+var supportedPolicies = map[string]Policy{
+ "": PolicyDefault,
+ "default": PolicyDefault,
+ "image": PolicyImage,
+}
+
+// LookupPolicy looksup the corresponding Policy for the specified
+// string. If none is found, an errors is returned including the list of
+// supported policies.
+//
+// Note that an empty string resolved to SeccompPolicyDefault.
+func LookupPolicy(s string) (Policy, error) {
+ policy, exists := supportedPolicies[s]
+ if exists {
+ return policy, nil
+ }
+
+ // Sort the keys first as maps are non-deterministic.
+ keys := []string{}
+ for k := range supportedPolicies {
+ if k != "" {
+ keys = append(keys, k)
+ }
+ }
+ sort.Strings(keys)
+
+ return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys)
+}