diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-02-12 19:13:23 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-02-12 19:13:23 +0100 |
| commit | e74ad3596393a476b7e233da736a610ef19bc4a1 (patch) | |
| tree | 0bfa9cbe917eaf51bb9be70b5e74d0e80af4910a /pkg/spec/createconfig.go | |
| parent | dd5df42be94ee6df9351a45eea563df146e9212e (diff) | |
| parent | 65d10ffab338ab0142e6595a646dab42f64af7d2 (diff) | |
| download | podman-e74ad3596393a476b7e233da736a610ef19bc4a1.tar.gz podman-e74ad3596393a476b7e233da736a610ef19bc4a1.tar.bz2 podman-e74ad3596393a476b7e233da736a610ef19bc4a1.zip | |
Merge pull request #5187 from vrothberg/pkg-seccomp
add pkg/seccomp
Diffstat (limited to 'pkg/spec/createconfig.go')
| -rw-r--r-- | pkg/spec/createconfig.go | 46 |
1 files changed, 2 insertions, 44 deletions
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index fb222083b..173dfb842 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -2,7 +2,6 @@ package createconfig import ( "os" - "sort" "strconv" "strings" "syscall" @@ -11,6 +10,7 @@ import ( "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/namespaces" + "github.com/containers/libpod/pkg/seccomp" "github.com/containers/storage" "github.com/docker/go-connections/nat" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -107,48 +107,6 @@ type NetworkConfig struct { PublishAll bool //publish-all } -// SeccompPolicy determines which seccomp profile gets applied to the container. -type SeccompPolicy int - -const ( - // SeccompPolicyDefault - if set use SecurityConfig.SeccompProfilePath, - // otherwise use the default profile. The SeccompProfilePath might be - // explicitly set by the user. - SeccompPolicyDefault SeccompPolicy = iota - // SeccompPolicyImage - if set use SecurityConfig.SeccompProfileFromImage, - // otherwise follow SeccompPolicyDefault. - SeccompPolicyImage -) - -// Map for easy lookups of supported policies. -var supportedSeccompPolicies = map[string]SeccompPolicy{ - "": SeccompPolicyDefault, - "default": SeccompPolicyDefault, - "image": SeccompPolicyImage, -} - -// LookupSeccompPolicy looksup the corresponding SeccompPolicy for the specified -// string. If none is found, an errors is returned including the list of -// supported policies. -// Note that an empty string resolved to SeccompPolicyDefault. -func LookupSeccompPolicy(s string) (SeccompPolicy, error) { - policy, exists := supportedSeccompPolicies[s] - if exists { - return policy, nil - } - - // Sort the keys first as maps are non-deterministic. - keys := []string{} - for k := range supportedSeccompPolicies { - if k != "" { - keys = append(keys, k) - } - } - sort.Strings(keys) - - return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys) -} - // SecurityConfig configures the security features for the container type SecurityConfig struct { CapAdd []string // cap-add @@ -158,7 +116,7 @@ type SecurityConfig struct { ApparmorProfile string //SecurityOpts SeccompProfilePath string //SecurityOpts SeccompProfileFromImage string // seccomp profile from the container image - SeccompPolicy SeccompPolicy + SeccompPolicy seccomp.Policy SecurityOpts []string Privileged bool //privileged ReadOnlyRootfs bool //read-only |