From c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7 Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Tue, 16 Jul 2019 15:00:41 -0400
Subject: Populate inspect with security-opt settings

We can infer no-new-privileges. For now, manually populate
seccomp (can't infer what file we sourced from) and
SELinux/Apparmor (hard to tell if they're enabled or not).

Signed-off-by: Matthew Heon <mheon@redhat.com>
---
 pkg/spec/spec.go | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'pkg')

diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index ca627f3aa..41054633f 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -455,6 +455,25 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 		configSpec.Annotations[libpod.InspectAnnotationInit] = libpod.InspectResponseFalse
 	}
 
+	for _, opt := range config.SecurityOpts {
+		// Split on both : and =
+		splitOpt := strings.Split(opt, "=")
+		if len(splitOpt) == 1 {
+			splitOpt = strings.Split(opt, ":")
+		}
+		if len(splitOpt) < 2 {
+			continue
+		}
+		switch splitOpt[0] {
+		case "label":
+			configSpec.Annotations[libpod.InspectAnnotationLabel] = splitOpt[1]
+		case "seccomp":
+			configSpec.Annotations[libpod.InspectAnnotationSeccomp] = splitOpt[1]
+		case "apparmor":
+			configSpec.Annotations[libpod.InspectAnnotationApparmor] = splitOpt[1]
+		}
+	}
+
 	return configSpec, nil
 }
 
-- 
cgit v1.2.3-54-g00ecf