Merge pull request #20428 from jfrazelle/generate-conversion

generate seccomp profile convert type
2016-02-26 10:28:23 -05:00 · 2016-02-26 10:28:23 -05:00 · c47674efda
commit c47674efda
parent 9792308b84 11435b674b
8 changed files with 981 additions and 962 deletions
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@ -72,7 +72,10 @@ func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks)
 		}

 		if c.SeccompProfile == "" {
-			container.Seccomp = seccomp.GetDefaultProfile()
+			container.Seccomp, err = seccomp.GetDefaultProfile()
+			if err != nil {
+				return nil, err
+			}
 		}
 	}
 	// add CAP_ prefix to all caps for new libcontainer update to match
--- a/integration-cli/docker_cli_run_unix_test.go
+++ b/integration-cli/docker_cli_run_unix_test.go
@ -909,3 +909,13 @@ func (s *DockerSuite) TestRunApparmorProcDirectory(c *check.C) {
 		c.Fatalf("expected chmod 777 /proc/1/attr/current to fail, got %s: %v", out, err)
 	}
 }
+
+// make sure the default profile can be successfully parsed (using unshare as it is
+// something which we know is blocked in the default profile)
+func (s *DockerSuite) TestRunSeccompWithDefaultProfile(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled)
+
+	out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp:../profiles/seccomp/default.json", "debian:jessie", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "unshare: unshare failed: Operation not permitted")
+}
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
--- a/profiles/seccomp/generate.go
+++ b/profiles/seccomp/generate.go
@ -20,11 +20,8 @@ func main() {
 	}
 	f := filepath.Join(wd, "default.json")

-	// get the default profile
-	p := seccomp.GetDefaultProfile()
-
 	// write the default profile to the file
-	b, err := json.MarshalIndent(p, "", "\t")
+	b, err := json.MarshalIndent(seccomp.DefaultProfile, "", "\t")
 	if err != nil {
 		panic(err)
 	}
--- a/profiles/seccomp/seccomp.go
+++ b/profiles/seccomp/seccomp.go
@ -14,8 +14,8 @@ import (
 //go:generate go run -tags 'seccomp' generate.go

 // GetDefaultProfile returns the default seccomp profile.
-func GetDefaultProfile() *configs.Seccomp {
-	return defaultProfile
+func GetDefaultProfile() (*configs.Seccomp, error) {
+	return setupSeccomp(DefaultProfile)
 }

 // LoadProfile takes a file path a decodes the seccomp profile.
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
--- a/profiles/seccomp/seccomp_test.go
+++ b/profiles/seccomp/seccomp_test.go
@ -12,7 +12,16 @@ func TestLoadProfile(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-
+	if _, err := LoadProfile(string(f)); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestLoadDefaultProfile(t *testing.T) {
+	f, err := ioutil.ReadFile("default.json")
+	if err != nil {
+		t.Fatal(err)
+	}
 	if _, err := LoadProfile(string(f)); err != nil {
 		t.Fatal(err)
 	}
--- a/profiles/seccomp/seccomp_unsupported.go
+++ b/profiles/seccomp/seccomp_unsupported.go
@ -2,9 +2,9 @@

 package seccomp

-import "github.com/opencontainers/runc/libcontainer/configs"
+import "github.com/docker/engine-api/types"

 var (
-	// defaultProfile is a nil pointer on unsupported systems.
-	defaultProfile *configs.Seccomp
+	// DefaultProfile is a nil pointer on unsupported systems.
+	DefaultProfile *types.Seccomp
 )