add docs and unconfined to run a container without the default seccomp profile

Signed-off-by: Jessica Frazelle <acidburn@docker.com>

daemon/execdriver/native/create.go

@@ -87,7 +87,7 @@ func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks)
 		container.AppArmorProfile = c.AppArmorProfile
 	}
 
-	if c.SeccompProfile != "" {
+	if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
 		container.Seccomp, err = loadSeccompProfile(c.SeccompProfile)
 		if err != nil {
 			return nil, err

docs/security/seccomp.md

@@ -62,3 +62,22 @@ Then you can run with:
 ```
 $ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world
 ```
+
+Default Profile
+---------------
+
+The default seccomp profile provides a sane default for running
+containers with seccomp. It is moderately protective while
+providing wide application compatibility.
+
+
+Overriding the default profile for a container
+----------------------------------------------
+
+You can pass `unconfined` to run a container without the default seccomp
+profile.
+
+```
+$ docker run --rm -it --security-opt seccomp:unconfined debian:jessie \
+    unshare --map-root-user --user sh -c whoami
+```

hack/make/.ensure-userns-test

@@ -7,8 +7,7 @@ set -e
 dir="$DEST/userns-test"
 mkdir -p "$dir"
 (
-	GOOS=${DOCKER_ENGINE_GOOS:="linux"}
-	if [ "$GOOS" = "linux" ]; then
+	if [ "$(go env GOOS)" = "linux" ]; then
 		cd "$dir"
 		gcc -g -Wall -static ../../../../contrib/userns-test/main.c -o ./userns-test
 		cp ../../../../contrib/userns-test/Dockerfile .

integration-cli/docker_cli_run_unix_test.go

@@ -598,8 +598,20 @@ func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {
 	}
 }
 
-// TestRunSeccompAllowPrivCloneUserns checks that 'docker run userns-test'
-// with a the default seccomp profile exits with operation not permitted.
+// TestRunSeccompUnconfinedCloneUserns checks that
+// 'docker run --security-opt seccomp:unconfined userns-test' allows creating a userns.
+func (s *DockerSuite) TestRunSeccompUnconfinedCloneUserns(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled, NotUserNamespace)
+
+	// make sure running w privileged is ok
+	runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:unconfined", "userns-test", "id")
+	if out, _, err := runCommandWithOutput(runCmd); err != nil || !strings.Contains(out, "nobody") {
+		c.Fatalf("expected clone userns with --security-opt seccomp:unconfined to succeed, got %s: %v", out, err)
+	}
+}
+
+// TestRunSeccompAllowPrivCloneUserns checks that 'docker run --privileged userns-test'
+// allows creating a userns.
 func (s *DockerSuite) TestRunSeccompAllowPrivCloneUserns(c *check.C) {
 	testRequires(c, SameHostDaemon, seccompEnabled, NotUserNamespace)