From 66fcafa4d45a26b59ad3662419cd3c778e23c39c Mon Sep 17 00:00:00 2001
From: Sascha Grunert <sgrunert@suse.com>
Date: Mon, 10 Aug 2020 10:16:28 +0200
Subject: Allow specifying seccomp profiles for privileged containers

To sync the behavior between AppArmor and seccomp it is now possible to
also specify seccomp profiles for privileged containers.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>
---
 pkg/specgen/generate/security.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'pkg/specgen/generate/security.go')

diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index fcd1622f9..840dcb72d 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -158,8 +158,9 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 		configSpec.Linux.Seccomp = seccompConfig
 	}
 
-	// Clear default Seccomp profile from Generator for privileged containers
-	if s.SeccompProfilePath == "unconfined" || s.Privileged {
+	// Clear default Seccomp profile from Generator for unconfined containers
+	// and privileged containers which do not specify a seccomp profile.
+	if s.SeccompProfilePath == "unconfined" || (s.Privileged && (s.SeccompProfilePath == config.SeccompOverridePath || s.SeccompProfilePath == config.SeccompDefaultPath)) {
 		configSpec.Linux.Seccomp = nil
 	}
 
-- 
cgit v1.2.3-54-g00ecf