summaryrefslogtreecommitdiff
path: root/pkg/specgen/generate/config_linux_cgo.go
diff options
context:
space:
mode:
authorBrent Baude <bbaude@redhat.com>2020-04-14 14:13:06 -0500
committerBrent Baude <bbaude@redhat.com>2020-04-14 20:02:20 -0500
commit714718794236245e81d4552f30731157d731aa9d (patch)
tree041417f9fdc6a788aa57d069e2d472102ec09325 /pkg/specgen/generate/config_linux_cgo.go
parent0d01f09bf4103538a6011019b690e5aa11c377db (diff)
downloadpodman-714718794236245e81d4552f30731157d731aa9d.tar.gz
podman-714718794236245e81d4552f30731157d731aa9d.tar.bz2
podman-714718794236245e81d4552f30731157d731aa9d.zip
v2specgen prune libpod
use libpod only in the specgen/generate package so that the remote clients do not inherit libpod bloat. Signed-off-by: Brent Baude <bbaude@redhat.com>
Diffstat (limited to 'pkg/specgen/generate/config_linux_cgo.go')
-rw-r--r--pkg/specgen/generate/config_linux_cgo.go62
1 files changed, 62 insertions, 0 deletions
diff --git a/pkg/specgen/generate/config_linux_cgo.go b/pkg/specgen/generate/config_linux_cgo.go
new file mode 100644
index 000000000..b06ef5c9a
--- /dev/null
+++ b/pkg/specgen/generate/config_linux_cgo.go
@@ -0,0 +1,62 @@
+// +build linux,cgo
+
+package generate
+
+import (
+ "context"
+ "io/ioutil"
+
+ "github.com/containers/libpod/libpod/image"
+ "github.com/containers/libpod/pkg/seccomp"
+ "github.com/containers/libpod/pkg/specgen"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/pkg/errors"
+ goSeccomp "github.com/seccomp/containers-golang"
+ "github.com/sirupsen/logrus"
+)
+
+func getSeccompConfig(s *specgen.SpecGenerator, configSpec *spec.Spec, img *image.Image) (*spec.LinuxSeccomp, error) {
+ var seccompConfig *spec.LinuxSeccomp
+ var err error
+ scp, err := seccomp.LookupPolicy(s.SeccompPolicy)
+ if err != nil {
+ return nil, err
+ }
+
+ if scp == seccomp.PolicyImage {
+ labels, err := img.Labels(context.Background())
+ if err != nil {
+ return nil, err
+ }
+ imagePolicy := labels[seccomp.ContainerImageLabel]
+ if len(imagePolicy) < 1 {
+ return nil, errors.New("no seccomp policy defined by image")
+ }
+ logrus.Debug("Loading seccomp profile from the security config")
+ seccompConfig, err = goSeccomp.LoadProfile(imagePolicy, configSpec)
+ if err != nil {
+ return nil, errors.Wrap(err, "loading seccomp profile failed")
+ }
+ return seccompConfig, nil
+ }
+
+ if s.SeccompProfilePath != "" {
+ logrus.Debugf("Loading seccomp profile from %q", s.SeccompProfilePath)
+ seccompProfile, err := ioutil.ReadFile(s.SeccompProfilePath)
+ if err != nil {
+ return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", s.SeccompProfilePath)
+ }
+ seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec)
+ if err != nil {
+ return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", s.SeccompProfilePath)
+ }
+ } else {
+ logrus.Debug("Loading default seccomp profile")
+ seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec)
+ if err != nil {
+ return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", s.SeccompProfilePath)
+ }
+ }
+
+ return seccompConfig, nil
+}