We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
moby
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

daemon: allow "builtin" as valid value for seccomp profiles

This allows containers to use the embedded default profile if a different
default is set (e.g. "unconfined") in the daemon configuration. Without this
option, users would have to copy the default profile to a file in order to
use the default.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn 4 years ago
parent
68e96f88ee
commit
f8795ed364
3 changed files with 9 additions and 2 deletions
Split View Show Diff Stats
  1. 1 1
      daemon/daemon_unix.go
  2. 3 1
      daemon/seccomp_linux.go
  3. 5 0
      integration/daemon/daemon_test.go

+ 1 - 1
daemon/daemon_unix.go
View File 

@@ -1706,7 +1706,7 @@ func maybeCreateCPURealTimeFile(configValue int64, file string, path string) err
 
 }
 
 
 func (daemon *Daemon) setupSeccompProfile() error {
 
-	if daemon.configStore.SeccompProfile != "" {
 
+	if daemon.configStore.SeccompProfile != "" && daemon.configStore.SeccompProfile != config.SeccompProfileDefault {
 
 		daemon.seccompProfilePath = daemon.configStore.SeccompProfile
 
 		if daemon.configStore.SeccompProfile != config.SeccompProfileUnconfined {
 
 			b, err := ioutil.ReadFile(daemon.configStore.SeccompProfile)

+ 3 - 1
daemon/seccomp_linux.go
View File 

@@ -26,7 +26,7 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
 
 			return nil
 
 		}
 
 		if !daemon.seccompEnabled {
 
-			if c.SeccompProfile != "" {
 
+			if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileDefault {
 
 				return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")
 
 			}
 
 			logrus.Warn("seccomp is not enabled in your kernel, running container without default profile")
 
@@ -35,6 +35,8 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
 
 		}
 
 		var err error
 
 		switch {
 
+		case c.SeccompProfile == dconfig.SeccompProfileDefault:
 
+			s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
 
 		case c.SeccompProfile != "":
 
 			s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s)
 
 		case daemon.seccompProfile != nil:

+ 5 - 0
integration/daemon/daemon_test.go
View File 

@@ -116,6 +116,11 @@ func TestConfigDaemonSeccompProfiles(t *testing.T) {
 
 			profile:         "",
 
 			expectedProfile: config.SeccompProfileDefault,
 
 		},
 
+		{
 
+			doc:             "default profile",
 
+			profile:         config.SeccompProfileDefault,
 
+			expectedProfile: config.SeccompProfileDefault,
 
+		},
 
 		{
 
 			doc:             "unconfined profile",
 
 			profile:         config.SeccompProfileUnconfined,

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5