summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorSascha Grunert <sgrunert@suse.com>2020-08-10 10:16:28 +0200
committerMatthew Heon <matthew.heon@pm.me>2020-08-20 12:16:53 -0400
commit66fcafa4d45a26b59ad3662419cd3c778e23c39c (patch)
tree83bbeeb554c750dcd8d9079f369a95165ceaffda /pkg
parent7fb53bc240cea153fb054bcd307d3b1a8945a435 (diff)
downloadpodman-66fcafa4d45a26b59ad3662419cd3c778e23c39c.tar.gz
podman-66fcafa4d45a26b59ad3662419cd3c778e23c39c.tar.bz2
podman-66fcafa4d45a26b59ad3662419cd3c778e23c39c.zip
Allow specifying seccomp profiles for privileged containers
To sync the behavior between AppArmor and seccomp it is now possible to also specify seccomp profiles for privileged containers. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Diffstat (limited to 'pkg')
-rw-r--r--pkg/specgen/generate/security.go5
1 files changed, 3 insertions, 2 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index fcd1622f9..840dcb72d 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -158,8 +158,9 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
configSpec.Linux.Seccomp = seccompConfig
}
- // Clear default Seccomp profile from Generator for privileged containers
- if s.SeccompProfilePath == "unconfined" || s.Privileged {
+ // Clear default Seccomp profile from Generator for unconfined containers
+ // and privileged containers which do not specify a seccomp profile.
+ if s.SeccompProfilePath == "unconfined" || (s.Privileged && (s.SeccompProfilePath == config.SeccompOverridePath || s.SeccompProfilePath == config.SeccompDefaultPath)) {
configSpec.Linux.Seccomp = nil
}