Merge pull request #5187 from vrothberg/pkg-seccomp

add pkg/seccomp

3 files changed, 62 insertions, 49 deletions

diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go
new file mode 100644
index 000000000..dcf255378
--- /dev/null
+++ b/pkg/seccomp/seccomp.go
@@ -0,0 +1,54 @@
+package seccomp
+
+import (
+	"sort"
+
+	"github.com/pkg/errors"
+)
+
+// ContianerImageLabel is the key of the image annotation embedding a seccomp
+// profile.
+const ContainerImageLabel = "io.containers.seccomp.profile"
+
+// Policy denotes a seccomp policy.
+type Policy int
+
+const (
+	// PolicyDefault - if set use SecurityConfig.SeccompProfilePath,
+	// otherwise use the default profile.  The SeccompProfilePath might be
+	// explicitly set by the user.
+	PolicyDefault Policy = iota
+	// PolicyImage - if set use SecurityConfig.SeccompProfileFromImage,
+	// otherwise follow SeccompPolicyDefault.
+	PolicyImage
+)
+
+// Map for easy lookups of supported policies.
+var supportedPolicies = map[string]Policy{
+	"":        PolicyDefault,
+	"default": PolicyDefault,
+	"image":   PolicyImage,
+}
+
+// LookupPolicy looksup the corresponding Policy for the specified
+// string. If none is found, an errors is returned including the list of
+// supported policies.
+//
+// Note that an empty string resolved to SeccompPolicyDefault.
+func LookupPolicy(s string) (Policy, error) {
+	policy, exists := supportedPolicies[s]
+	if exists {
+		return policy, nil
+	}
+
+	// Sort the keys first as maps are non-deterministic.
+	keys := []string{}
+	for k := range supportedPolicies {
+		if k != "" {
+			keys = append(keys, k)
+		}
+	}
+	sort.Strings(keys)
+
+	return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys)
+}
diff --git a/pkg/spec/config_linux_cgo.go b/pkg/spec/config_linux_cgo.go
index ae83c9d52..05f42c4da 100644
--- a/pkg/spec/config_linux_cgo.go
+++ b/pkg/spec/config_linux_cgo.go
@@ -5,9 +5,10 @@ package createconfig
 import (
 	"io/ioutil"
 
+	"github.com/containers/libpod/pkg/seccomp"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
-	seccomp "github.com/seccomp/containers-golang"
+	goSeccomp "github.com/seccomp/containers-golang"
 	"github.com/sirupsen/logrus"
 )
 
@@ -15,9 +16,9 @@ func getSeccompConfig(config *SecurityConfig, configSpec *spec.Spec) (*spec.Linu
 	var seccompConfig *spec.LinuxSeccomp
 	var err error
 
-	if config.SeccompPolicy == SeccompPolicyImage && config.SeccompProfileFromImage != "" {
+	if config.SeccompPolicy == seccomp.PolicyImage && config.SeccompProfileFromImage != "" {
 		logrus.Debug("Loading seccomp profile from the security config")
-		seccompConfig, err = seccomp.LoadProfile(config.SeccompProfileFromImage, configSpec)
+		seccompConfig, err = goSeccomp.LoadProfile(config.SeccompProfileFromImage, configSpec)
 		if err != nil {
 			return nil, errors.Wrap(err, "loading seccomp profile failed")
 		}
@@ -30,13 +31,13 @@ func getSeccompConfig(config *SecurityConfig, configSpec *spec.Spec) (*spec.Linu
 		if err != nil {
 			return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.SeccompProfilePath)
 		}
-		seccompConfig, err = seccomp.LoadProfile(string(seccompProfile), configSpec)
+		seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec)
 		if err != nil {
 			return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
 		}
 	} else {
 		logrus.Debug("Loading default seccomp profile")
-		seccompConfig, err = seccomp.GetDefaultProfile(configSpec)
+		seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec)
 		if err != nil {
 			return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
 		}
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index fb222083b..173dfb842 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -2,7 +2,6 @@ package createconfig
 
 import (
 	"os"
-	"sort"
 	"strconv"
 	"strings"
 	"syscall"
@@ -11,6 +10,7 @@ import (
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/pkg/namespaces"
+	"github.com/containers/libpod/pkg/seccomp"
 	"github.com/containers/storage"
 	"github.com/docker/go-connections/nat"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -107,48 +107,6 @@ type NetworkConfig struct {
 	PublishAll   bool     //publish-all
 }
 
-// SeccompPolicy determines which seccomp profile gets applied to the container.
-type SeccompPolicy int
-
-const (
-	// SeccompPolicyDefault - if set use SecurityConfig.SeccompProfilePath,
-	// otherwise use the default profile.  The SeccompProfilePath might be
-	// explicitly set by the user.
-	SeccompPolicyDefault SeccompPolicy = iota
-	// SeccompPolicyImage - if set use SecurityConfig.SeccompProfileFromImage,
-	// otherwise follow SeccompPolicyDefault.
-	SeccompPolicyImage
-)
-
-// Map for easy lookups of supported policies.
-var supportedSeccompPolicies = map[string]SeccompPolicy{
-	"":        SeccompPolicyDefault,
-	"default": SeccompPolicyDefault,
-	"image":   SeccompPolicyImage,
-}
-
-// LookupSeccompPolicy looksup the corresponding SeccompPolicy for the specified
-// string. If none is found, an errors is returned including the list of
-// supported policies.
-// Note that an empty string resolved to SeccompPolicyDefault.
-func LookupSeccompPolicy(s string) (SeccompPolicy, error) {
-	policy, exists := supportedSeccompPolicies[s]
-	if exists {
-		return policy, nil
-	}
-
-	// Sort the keys first as maps are non-deterministic.
-	keys := []string{}
-	for k := range supportedSeccompPolicies {
-		if k != "" {
-			keys = append(keys, k)
-		}
-	}
-	sort.Strings(keys)
-
-	return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys)
-}
-
 // SecurityConfig configures the security features for the container
 type SecurityConfig struct {
 	CapAdd                  []string // cap-add
@@ -158,7 +116,7 @@ type SecurityConfig struct {
 	ApparmorProfile         string   //SecurityOpts
 	SeccompProfilePath      string   //SecurityOpts
 	SeccompProfileFromImage string   // seccomp profile from the container image
-	SeccompPolicy           SeccompPolicy
+	SeccompPolicy           seccomp.Policy
 	SecurityOpts            []string
 	Privileged              bool              //privileged
 	ReadOnlyRootfs          bool              //read-only