summaryrefslogtreecommitdiff
path: root/pkg/spec
diff options
context:
space:
mode:
authorMatthew Heon <mheon@redhat.com>2019-07-16 15:00:41 -0400
committerMatthew Heon <mheon@redhat.com>2019-07-17 16:48:38 -0400
commitc91bc31570f1fab616e10d0e2b4a6c8b7fe631c7 (patch)
tree912709f28548ec28002786bd5c9a32904538ee7e /pkg/spec
parent156b6ef22230b296a06b50196e0191d191e15749 (diff)
downloadpodman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.tar.gz
podman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.tar.bz2
podman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.zip
Populate inspect with security-opt settings
We can infer no-new-privileges. For now, manually populate seccomp (can't infer what file we sourced from) and SELinux/Apparmor (hard to tell if they're enabled or not). Signed-off-by: Matthew Heon <mheon@redhat.com>
Diffstat (limited to 'pkg/spec')
-rw-r--r--pkg/spec/spec.go19
1 files changed, 19 insertions, 0 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index ca627f3aa..41054633f 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -455,6 +455,25 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
configSpec.Annotations[libpod.InspectAnnotationInit] = libpod.InspectResponseFalse
}
+ for _, opt := range config.SecurityOpts {
+ // Split on both : and =
+ splitOpt := strings.Split(opt, "=")
+ if len(splitOpt) == 1 {
+ splitOpt = strings.Split(opt, ":")
+ }
+ if len(splitOpt) < 2 {
+ continue
+ }
+ switch splitOpt[0] {
+ case "label":
+ configSpec.Annotations[libpod.InspectAnnotationLabel] = splitOpt[1]
+ case "seccomp":
+ configSpec.Annotations[libpod.InspectAnnotationSeccomp] = splitOpt[1]
+ case "apparmor":
+ configSpec.Annotations[libpod.InspectAnnotationApparmor] = splitOpt[1]
+ }
+ }
+
return configSpec, nil
}