From 4a39327bc5a45ecec4837661dd6069f230c4e1e0 Mon Sep 17 00:00:00 2001
From: Matthew Heon <matthew.heon@gmail.com>
Date: Tue, 13 Feb 2018 14:23:48 -0500
Subject: Disable default Seccomp profile with privileged containers

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #326
Approved by: baude
---
 cmd/podman/spec.go | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'cmd')

diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index 5206a4d36..3a2402d0e 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -330,6 +330,11 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 		}
 	}
 
+	// Clear default Seccomp profile from Generator for privileged containers
+	if config.SeccompProfilePath == "unconfined" || config.Privileged {
+		configSpec.Linux.Seccomp = nil
+	}
+
 	// BIND MOUNTS
 	mounts, err := config.GetVolumeMounts()
 	if err != nil {
-- 
cgit v1.2.3-54-g00ecf