moby/daemon/seccomp_linux.go
Tianon Gravi c9e19a2aa1 Remove "seccomp" build tag
Similar to the (now removed) `apparmor` build tag, this build-time toggle existed for users who needed to build without the `libseccomp` library.  That's no longer necessary, and given the importance of seccomp to the overall default security profile of Docker containers, it makes sense that any binary built for Linux should support (and use by default) seccomp if the underlying host does.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
2022-05-12 14:48:35 -07:00

49 lines
1.6 KiB
Go

package daemon // import "github.com/docker/docker/daemon"
import (
"context"
"fmt"
"github.com/containerd/containerd/containers"
coci "github.com/containerd/containerd/oci"
"github.com/docker/docker/container"
dconfig "github.com/docker/docker/daemon/config"
"github.com/docker/docker/profiles/seccomp"
"github.com/sirupsen/logrus"
)
const supportsSeccomp = true
// WithSeccomp sets the seccomp profile
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
if c.SeccompProfile == dconfig.SeccompProfileUnconfined {
return nil
}
if c.HostConfig.Privileged {
return nil
}
if !daemon.RawSysInfo().Seccomp {
if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileDefault {
return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")
}
logrus.Warn("seccomp is not enabled in your kernel, running container without default profile")
c.SeccompProfile = dconfig.SeccompProfileUnconfined
return nil
}
var err error
switch {
case c.SeccompProfile == dconfig.SeccompProfileDefault:
s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
case c.SeccompProfile != "":
s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s)
case daemon.seccompProfile != nil:
s.Linux.Seccomp, err = seccomp.LoadProfile(string(daemon.seccompProfile), s)
case daemon.seccompProfilePath == dconfig.SeccompProfileUnconfined:
c.SeccompProfile = dconfig.SeccompProfileUnconfined
default:
s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
}
return err
}
}