diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-02-12 19:13:23 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-02-12 19:13:23 +0100 |
commit | e74ad3596393a476b7e233da736a610ef19bc4a1 (patch) | |
tree | 0bfa9cbe917eaf51bb9be70b5e74d0e80af4910a /pkg/seccomp | |
parent | dd5df42be94ee6df9351a45eea563df146e9212e (diff) | |
parent | 65d10ffab338ab0142e6595a646dab42f64af7d2 (diff) | |
download | podman-e74ad3596393a476b7e233da736a610ef19bc4a1.tar.gz podman-e74ad3596393a476b7e233da736a610ef19bc4a1.tar.bz2 podman-e74ad3596393a476b7e233da736a610ef19bc4a1.zip |
Merge pull request #5187 from vrothberg/pkg-seccomp
add pkg/seccomp
Diffstat (limited to 'pkg/seccomp')
-rw-r--r-- | pkg/seccomp/seccomp.go | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go new file mode 100644 index 000000000..dcf255378 --- /dev/null +++ b/pkg/seccomp/seccomp.go @@ -0,0 +1,54 @@ +package seccomp + +import ( + "sort" + + "github.com/pkg/errors" +) + +// ContianerImageLabel is the key of the image annotation embedding a seccomp +// profile. +const ContainerImageLabel = "io.containers.seccomp.profile" + +// Policy denotes a seccomp policy. +type Policy int + +const ( + // PolicyDefault - if set use SecurityConfig.SeccompProfilePath, + // otherwise use the default profile. The SeccompProfilePath might be + // explicitly set by the user. + PolicyDefault Policy = iota + // PolicyImage - if set use SecurityConfig.SeccompProfileFromImage, + // otherwise follow SeccompPolicyDefault. + PolicyImage +) + +// Map for easy lookups of supported policies. +var supportedPolicies = map[string]Policy{ + "": PolicyDefault, + "default": PolicyDefault, + "image": PolicyImage, +} + +// LookupPolicy looksup the corresponding Policy for the specified +// string. If none is found, an errors is returned including the list of +// supported policies. +// +// Note that an empty string resolved to SeccompPolicyDefault. +func LookupPolicy(s string) (Policy, error) { + policy, exists := supportedPolicies[s] + if exists { + return policy, nil + } + + // Sort the keys first as maps are non-deterministic. + keys := []string{} + for k := range supportedPolicies { + if k != "" { + keys = append(keys, k) + } + } + sort.Strings(keys) + + return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys) +} |