summaryrefslogtreecommitdiff
path: root/pkg/specgen/generate
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2020-08-11 07:19:21 -0400
committerGitHub <noreply@github.com>2020-08-11 07:19:21 -0400
commit6d3075a6c79a6e761c183e0d5e6aa239fad21b63 (patch)
treef0298e8417c1160d03be14de6b26f99bcc0e609c /pkg/specgen/generate
parent68c67d24308710d5ad23ee5ddeb35293e2123fb6 (diff)
parent97a2c86aab36f4d931371e4ac80d45d70aa575d2 (diff)
downloadpodman-6d3075a6c79a6e761c183e0d5e6aa239fad21b63.tar.gz
podman-6d3075a6c79a6e761c183e0d5e6aa239fad21b63.tar.bz2
podman-6d3075a6c79a6e761c183e0d5e6aa239fad21b63.zip
Merge pull request #7269 from openSUSE/seccomp
Allow specifying seccomp profiles for privileged containers
Diffstat (limited to 'pkg/specgen/generate')
-rw-r--r--pkg/specgen/generate/security.go5
1 files changed, 3 insertions, 2 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 4352ef718..5e4cc3399 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -158,8 +158,9 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
configSpec.Linux.Seccomp = seccompConfig
}
- // Clear default Seccomp profile from Generator for privileged containers
- if s.SeccompProfilePath == "unconfined" || s.Privileged {
+ // Clear default Seccomp profile from Generator for unconfined containers
+ // and privileged containers which do not specify a seccomp profile.
+ if s.SeccompProfilePath == "unconfined" || (s.Privileged && (s.SeccompProfilePath == config.SeccompOverridePath || s.SeccompProfilePath == config.SeccompDefaultPath)) {
configSpec.Linux.Seccomp = nil
}