diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-04-15 16:38:52 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-04-15 16:38:52 +0200 |
| commit | 37ed662f323ef4700ae14d441fb2264a59960baa (patch) | |
| tree | f69f267eb26f166d6347e7c3bba0579c274dbba3 /pkg/specgen/generate/config_linux_cgo.go | |
| parent | a756161e80cd32b705bb0dfe3ec4753f883ec929 (diff) | |
| parent | 714718794236245e81d4552f30731157d731aa9d (diff) | |
| download | podman-37ed662f323ef4700ae14d441fb2264a59960baa.tar.gz podman-37ed662f323ef4700ae14d441fb2264a59960baa.tar.bz2 podman-37ed662f323ef4700ae14d441fb2264a59960baa.zip | |
Merge pull request #5814 from baude/v2specgenprunelibpod
v2specgen prune libpod
Diffstat (limited to 'pkg/specgen/generate/config_linux_cgo.go')
| -rw-r--r-- | pkg/specgen/generate/config_linux_cgo.go | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/pkg/specgen/generate/config_linux_cgo.go b/pkg/specgen/generate/config_linux_cgo.go new file mode 100644 index 000000000..b06ef5c9a --- /dev/null +++ b/pkg/specgen/generate/config_linux_cgo.go @@ -0,0 +1,62 @@ +// +build linux,cgo + +package generate + +import ( + "context" + "io/ioutil" + + "github.com/containers/libpod/libpod/image" + "github.com/containers/libpod/pkg/seccomp" + "github.com/containers/libpod/pkg/specgen" + spec "github.com/opencontainers/runtime-spec/specs-go" + "github.com/pkg/errors" + goSeccomp "github.com/seccomp/containers-golang" + "github.com/sirupsen/logrus" +) + +func getSeccompConfig(s *specgen.SpecGenerator, configSpec *spec.Spec, img *image.Image) (*spec.LinuxSeccomp, error) { + var seccompConfig *spec.LinuxSeccomp + var err error + scp, err := seccomp.LookupPolicy(s.SeccompPolicy) + if err != nil { + return nil, err + } + + if scp == seccomp.PolicyImage { + labels, err := img.Labels(context.Background()) + if err != nil { + return nil, err + } + imagePolicy := labels[seccomp.ContainerImageLabel] + if len(imagePolicy) < 1 { + return nil, errors.New("no seccomp policy defined by image") + } + logrus.Debug("Loading seccomp profile from the security config") + seccompConfig, err = goSeccomp.LoadProfile(imagePolicy, configSpec) + if err != nil { + return nil, errors.Wrap(err, "loading seccomp profile failed") + } + return seccompConfig, nil + } + + if s.SeccompProfilePath != "" { + logrus.Debugf("Loading seccomp profile from %q", s.SeccompProfilePath) + seccompProfile, err := ioutil.ReadFile(s.SeccompProfilePath) + if err != nil { + return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", s.SeccompProfilePath) + } + seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec) + if err != nil { + return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", s.SeccompProfilePath) + } + } else { + logrus.Debug("Loading default seccomp profile") + seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec) + if err != nil { + return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", s.SeccompProfilePath) + } + } + + return seccompConfig, nil +} |