seccomp_linux.go 1.2 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455
  1. // +build linux,seccomp
  2. package daemon
  3. import (
  4. "fmt"
  5. "github.com/Sirupsen/logrus"
  6. "github.com/docker/docker/container"
  7. "github.com/docker/docker/profiles/seccomp"
  8. "github.com/opencontainers/runtime-spec/specs-go"
  9. )
  10. var supportsSeccomp = true
  11. func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
  12. var profile *specs.LinuxSeccomp
  13. var err error
  14. if c.HostConfig.Privileged {
  15. return nil
  16. }
  17. if !daemon.seccompEnabled {
  18. if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
  19. return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
  20. }
  21. logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
  22. c.SeccompProfile = "unconfined"
  23. }
  24. if c.SeccompProfile == "unconfined" {
  25. return nil
  26. }
  27. if c.SeccompProfile != "" {
  28. profile, err = seccomp.LoadProfile(c.SeccompProfile, rs)
  29. if err != nil {
  30. return err
  31. }
  32. } else {
  33. if daemon.seccompProfile != nil {
  34. profile, err = seccomp.LoadProfile(string(daemon.seccompProfile), rs)
  35. if err != nil {
  36. return err
  37. }
  38. } else {
  39. profile, err = seccomp.GetDefaultProfile(rs)
  40. if err != nil {
  41. return err
  42. }
  43. }
  44. }
  45. rs.Linux.Seccomp = profile
  46. return nil
  47. }