summaryrefslogtreecommitdiff
path: root/pkg/spec
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/spec')
-rw-r--r--pkg/spec/config_linux_cgo.go11
-rw-r--r--pkg/spec/createconfig.go46
2 files changed, 8 insertions, 49 deletions
diff --git a/pkg/spec/config_linux_cgo.go b/pkg/spec/config_linux_cgo.go
index ae83c9d52..05f42c4da 100644
--- a/pkg/spec/config_linux_cgo.go
+++ b/pkg/spec/config_linux_cgo.go
@@ -5,9 +5,10 @@ package createconfig
import (
"io/ioutil"
+ "github.com/containers/libpod/pkg/seccomp"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
- seccomp "github.com/seccomp/containers-golang"
+ goSeccomp "github.com/seccomp/containers-golang"
"github.com/sirupsen/logrus"
)
@@ -15,9 +16,9 @@ func getSeccompConfig(config *SecurityConfig, configSpec *spec.Spec) (*spec.Linu
var seccompConfig *spec.LinuxSeccomp
var err error
- if config.SeccompPolicy == SeccompPolicyImage && config.SeccompProfileFromImage != "" {
+ if config.SeccompPolicy == seccomp.PolicyImage && config.SeccompProfileFromImage != "" {
logrus.Debug("Loading seccomp profile from the security config")
- seccompConfig, err = seccomp.LoadProfile(config.SeccompProfileFromImage, configSpec)
+ seccompConfig, err = goSeccomp.LoadProfile(config.SeccompProfileFromImage, configSpec)
if err != nil {
return nil, errors.Wrap(err, "loading seccomp profile failed")
}
@@ -30,13 +31,13 @@ func getSeccompConfig(config *SecurityConfig, configSpec *spec.Spec) (*spec.Linu
if err != nil {
return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.SeccompProfilePath)
}
- seccompConfig, err = seccomp.LoadProfile(string(seccompProfile), configSpec)
+ seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec)
if err != nil {
return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
}
} else {
logrus.Debug("Loading default seccomp profile")
- seccompConfig, err = seccomp.GetDefaultProfile(configSpec)
+ seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec)
if err != nil {
return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
}
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index cf09299bc..8010be0d4 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -2,7 +2,6 @@ package createconfig
import (
"os"
- "sort"
"strconv"
"strings"
"syscall"
@@ -11,6 +10,7 @@ import (
"github.com/containers/libpod/libpod"
"github.com/containers/libpod/libpod/define"
"github.com/containers/libpod/pkg/namespaces"
+ "github.com/containers/libpod/pkg/seccomp"
"github.com/containers/storage"
"github.com/docker/go-connections/nat"
spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -108,48 +108,6 @@ type NetworkConfig struct {
PublishAll bool //publish-all
}
-// SeccompPolicy determines which seccomp profile gets applied to the container.
-type SeccompPolicy int
-
-const (
- // SeccompPolicyDefault - if set use SecurityConfig.SeccompProfilePath,
- // otherwise use the default profile. The SeccompProfilePath might be
- // explicitly set by the user.
- SeccompPolicyDefault SeccompPolicy = iota
- // SeccompPolicyImage - if set use SecurityConfig.SeccompProfileFromImage,
- // otherwise follow SeccompPolicyDefault.
- SeccompPolicyImage
-)
-
-// Map for easy lookups of supported policies.
-var supportedSeccompPolicies = map[string]SeccompPolicy{
- "": SeccompPolicyDefault,
- "default": SeccompPolicyDefault,
- "image": SeccompPolicyImage,
-}
-
-// LookupSeccompPolicy looksup the corresponding SeccompPolicy for the specified
-// string. If none is found, an errors is returned including the list of
-// supported policies.
-// Note that an empty string resolved to SeccompPolicyDefault.
-func LookupSeccompPolicy(s string) (SeccompPolicy, error) {
- policy, exists := supportedSeccompPolicies[s]
- if exists {
- return policy, nil
- }
-
- // Sort the keys first as maps are non-deterministic.
- keys := []string{}
- for k := range supportedSeccompPolicies {
- if k != "" {
- keys = append(keys, k)
- }
- }
- sort.Strings(keys)
-
- return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys)
-}
-
// SecurityConfig configures the security features for the container
type SecurityConfig struct {
CapAdd []string // cap-add
@@ -159,7 +117,7 @@ type SecurityConfig struct {
ApparmorProfile string //SecurityOpts
SeccompProfilePath string //SecurityOpts
SeccompProfileFromImage string // seccomp profile from the container image
- SeccompPolicy SeccompPolicy
+ SeccompPolicy seccomp.Policy
SecurityOpts []string
Privileged bool //privileged
ReadOnlyRootfs bool //read-only