From 04b43ccf64dd5166539743b44a95c9921ddc8a9f Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Mon, 21 Dec 2020 10:10:47 -0500
Subject: Add Security information to podman info

When debugging issues, it would be helpful to know the
security settings of the system running into the problem.
Adding security info to `podman info` is also useful to users.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 libpod/define/info.go | 11 ++++++++++-
 libpod/info.go        | 17 +++++++++++++----
 2 files changed, 23 insertions(+), 5 deletions(-)

(limited to 'libpod')

diff --git a/libpod/define/info.go b/libpod/define/info.go
index f0e05801c..00146da48 100644
--- a/libpod/define/info.go
+++ b/libpod/define/info.go
@@ -11,6 +11,15 @@ type Info struct {
 	Version    Version                `json:"version"`
 }
 
+//HostInfo describes the libpod host
+type SecurityInfo struct {
+	AppArmorEnabled     bool   `json:"apparmorEnabled"`
+	DefaultCapabilities string `json:"capabilities"`
+	Rootless            bool   `json:"rootless"`
+	SECCOMPEnabled      bool   `json:"seccompEnabled"`
+	SELinuxEnabled      bool   `json:"selinuxEnabled"`
+}
+
 //HostInfo describes the libpod host
 type HostInfo struct {
 	Arch           string                 `json:"arch"`
@@ -29,8 +38,8 @@ type HostInfo struct {
 	OCIRuntime     *OCIRuntimeInfo        `json:"ociRuntime"`
 	OS             string                 `json:"os"`
 	RemoteSocket   *RemoteSocket          `json:"remoteSocket,omitempty"`
-	Rootless       bool                   `json:"rootless"`
 	RuntimeInfo    map[string]interface{} `json:"runtimeInfo,omitempty"`
+	Security       SecurityInfo           `json:"security"`
 	Slirp4NetNS    SlirpInfo              `json:"slirp4netns,omitempty"`
 	SwapFree       int64                  `json:"swapFree"`
 	SwapTotal      int64                  `json:"swapTotal"`
diff --git a/libpod/info.go b/libpod/info.go
index 2f64a107e..1b3550abd 100644
--- a/libpod/info.go
+++ b/libpod/info.go
@@ -13,6 +13,8 @@ import (
 	"time"
 
 	"github.com/containers/buildah"
+	"github.com/containers/common/pkg/apparmor"
+	"github.com/containers/common/pkg/seccomp"
 	"github.com/containers/podman/v2/libpod/define"
 	"github.com/containers/podman/v2/libpod/linkmode"
 	"github.com/containers/podman/v2/pkg/cgroups"
@@ -20,6 +22,7 @@ import (
 	"github.com/containers/podman/v2/pkg/rootless"
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/system"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -98,10 +101,16 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) {
 		MemFree:        mi.MemFree,
 		MemTotal:       mi.MemTotal,
 		OS:             runtime.GOOS,
-		Rootless:       rootless.IsRootless(),
-		Slirp4NetNS:    define.SlirpInfo{},
-		SwapFree:       mi.SwapFree,
-		SwapTotal:      mi.SwapTotal,
+		Security: define.SecurityInfo{
+			AppArmorEnabled:     apparmor.IsEnabled(),
+			DefaultCapabilities: strings.Join(r.config.Containers.DefaultCapabilities, ","),
+			Rootless:            rootless.IsRootless(),
+			SECCOMPEnabled:      seccomp.IsEnabled(),
+			SELinuxEnabled:      selinux.GetEnabled(),
+		},
+		Slirp4NetNS: define.SlirpInfo{},
+		SwapFree:    mi.SwapFree,
+		SwapTotal:   mi.SwapTotal,
 	}
 
 	// CGroups version
-- 
cgit v1.2.3-54-g00ecf