From 1531509542194bf7800621b4b7a6071f53961dab Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Thu, 23 Jan 2020 10:04:18 +0100 Subject: seccomp policy: expect profile in config label Move the seccomp profile from a manifest annotation to a config label. This way, we can support it for Docker images as well and provide an easy way to add that data via Dockerfiles. Signed-off-by: Valentin Rothberg --- cmd/podman/shared/create.go | 6 +++--- docs/source/markdown/podman-create.1.md | 2 +- docs/source/markdown/podman-run.1.md | 2 +- test/e2e/config.go | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go index 15d6bddbb..2f637694b 100644 --- a/cmd/podman/shared/create.go +++ b/cmd/podman/shared/create.go @@ -31,9 +31,9 @@ import ( "github.com/sirupsen/logrus" ) -// seccompAnnotationKey is the key of the image annotation embedding a seccomp +// seccompLabelKey is the key of the image annotation embedding a seccomp // profile. -const seccompAnnotationKey = "io.containers.seccomp.profile" +const seccompLabelKey = "io.containers.seccomp.profile" func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.Runtime) (*libpod.Container, *cc.CreateConfig, error) { var ( @@ -709,7 +709,7 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod. // SECCOMP if data != nil { - if value, exists := data.Annotations[seccompAnnotationKey]; exists { + if value, exists := labels[seccompLabelKey]; exists { secConfig.SeccompProfileFromImage = value } } diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 7f0c2260c..0e641f3a3 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -679,7 +679,7 @@ of the container is assumed to be managed externally. **--seccomp-policy**=*policy* -Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.podman.seccomp.profile" annotation in the container image and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below. +Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.podman.seccomp.profile" label in the container-image config and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below. Note that this feature is experimental and may change in the future. diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 2b1452b53..512a382a6 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -700,7 +700,7 @@ Note: On `SELinux` systems, the rootfs needs the correct label, which is by defa **--seccomp-policy**=*policy* -Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.podman.seccomp.profile" annotation in the container image and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below. +Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.podman.seccomp.profile" label in the container-image config and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below. Note that this feature is experimental and may change in the future. diff --git a/test/e2e/config.go b/test/e2e/config.go index 12d0e545e..96cc157be 100644 --- a/test/e2e/config.go +++ b/test/e2e/config.go @@ -19,8 +19,8 @@ var ( // The intention behind blocking all syscalls is to prevent // regressions in the future. The required syscalls can vary // depending on which runtime we're using. - alpineSeccomp = "docker.io/libpod/alpine-with-seccomp:latest" + alpineSeccomp = "docker.io/libpod/alpine-with-seccomp:label" // This image has a bogus/invalid seccomp profile which should // yield a json error when being read. - alpineBogusSeccomp = "docker.io/libpod/alpine-with-bogus-seccomp:latest" + alpineBogusSeccomp = "docker.io/libpod/alpine-with-bogus-seccomp:label" ) -- cgit v1.2.3-54-g00ecf