diff options
| author | Matthew Heon <mheon@redhat.com> | 2019-07-16 15:00:41 -0400 |
|---|---|---|
| committer | Matthew Heon <mheon@redhat.com> | 2019-07-17 16:48:38 -0400 |
| commit | c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7 (patch) | |
| tree | 912709f28548ec28002786bd5c9a32904538ee7e /pkg | |
| parent | 156b6ef22230b296a06b50196e0191d191e15749 (diff) | |
| download | podman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.tar.gz podman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.tar.bz2 podman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.zip | |
Populate inspect with security-opt settings
We can infer no-new-privileges. For now, manually populate
seccomp (can't infer what file we sourced from) and
SELinux/Apparmor (hard to tell if they're enabled or not).
Signed-off-by: Matthew Heon <mheon@redhat.com>
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/spec/spec.go | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index ca627f3aa..41054633f 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -455,6 +455,25 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM configSpec.Annotations[libpod.InspectAnnotationInit] = libpod.InspectResponseFalse } + for _, opt := range config.SecurityOpts { + // Split on both : and = + splitOpt := strings.Split(opt, "=") + if len(splitOpt) == 1 { + splitOpt = strings.Split(opt, ":") + } + if len(splitOpt) < 2 { + continue + } + switch splitOpt[0] { + case "label": + configSpec.Annotations[libpod.InspectAnnotationLabel] = splitOpt[1] + case "seccomp": + configSpec.Annotations[libpod.InspectAnnotationSeccomp] = splitOpt[1] + case "apparmor": + configSpec.Annotations[libpod.InspectAnnotationApparmor] = splitOpt[1] + } + } + return configSpec, nil } |