From f3f4c54f2abc341cee1e7b83e9538d91a3c627e3 Mon Sep 17 00:00:00 2001
From: Valentin Rothberg <rothberg@redhat.com>
Date: Tue, 7 Jan 2020 16:48:07 +0100
Subject: policy for seccomp-profile selection

Implement a policy for selecting a seccomp profile.  In addition to the
default behaviour (default profile unless --security-opt seccomp is set)
add a second policy doing a lookup in the image annotation.

If the image has the "io.containers.seccomp.profile" set its value will be
interpreted as a seccomp profile.  The policy can be selected via the
new --seccomp-policy CLI flag.

Once the containers.conf support is merged into libpod, we can add an
option there as well.

Note that this feature is marked as experimental and may change in the
future.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
---
 cmd/podman/shared/intermediate.go | 1 +
 1 file changed, 1 insertion(+)

(limited to 'cmd/podman/shared/intermediate.go')

diff --git a/cmd/podman/shared/intermediate.go b/cmd/podman/shared/intermediate.go
index bc12bd2a5..55826625b 100644
--- a/cmd/podman/shared/intermediate.go
+++ b/cmd/podman/shared/intermediate.go
@@ -463,6 +463,7 @@ func NewIntermediateLayer(c *cliconfig.PodmanCommand, remote bool) GenericCLIRes
 	m["volume"] = newCRStringArray(c, "volume")
 	m["volumes-from"] = newCRStringSlice(c, "volumes-from")
 	m["workdir"] = newCRString(c, "workdir")
+	m["seccomp-policy"] = newCRString(c, "seccomp-policy")
 	// global flag
 	if !remote {
 		m["authfile"] = newCRString(c, "authfile")
-- 
cgit v1.2.3-54-g00ecf