68e96f88ee
Commit b237189e6c implemented an option to
set the default seccomp profile in the daemon configuration. When that PR
was reviewed, it was discussed to have the option accept the path to a custom
profile JSON file; https://github.com/moby/moby/pull/26276#issuecomment-253546966
However, in the implementation, the special "unconfined" value was not taken into
account. The "unconfined" value is meant to disable seccomp (more factually:
run with an empty profile).
While it's likely possible to achieve this by creating a file with an an empty
(`{}`) profile, and passing the path to that file, it's inconsistent with the
`--security-opt seccomp=unconfined` option on `docker run` and `docker create`,
which is both confusing, and makes it harder to use (especially on Docker Desktop,
where there's no direct access to the VM's filesystem).
This patch adds the missing check for the special "unconfined" value.
Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
49 lines
1.5 KiB
Go
49 lines
1.5 KiB
Go
// +build linux,seccomp
|
|
|
|
package daemon // import "github.com/docker/docker/daemon"
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/containerd/containerd/containers"
|
|
coci "github.com/containerd/containerd/oci"
|
|
"github.com/docker/docker/container"
|
|
dconfig "github.com/docker/docker/daemon/config"
|
|
"github.com/docker/docker/profiles/seccomp"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
const supportsSeccomp = true
|
|
|
|
// WithSeccomp sets the seccomp profile
|
|
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
|
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
|
|
if c.SeccompProfile == dconfig.SeccompProfileUnconfined {
|
|
return nil
|
|
}
|
|
if c.HostConfig.Privileged {
|
|
return nil
|
|
}
|
|
if !daemon.seccompEnabled {
|
|
if c.SeccompProfile != "" {
|
|
return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")
|
|
}
|
|
logrus.Warn("seccomp is not enabled in your kernel, running container without default profile")
|
|
c.SeccompProfile = dconfig.SeccompProfileUnconfined
|
|
return nil
|
|
}
|
|
var err error
|
|
switch {
|
|
case c.SeccompProfile != "":
|
|
s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s)
|
|
case daemon.seccompProfile != nil:
|
|
s.Linux.Seccomp, err = seccomp.LoadProfile(string(daemon.seccompProfile), s)
|
|
case daemon.seccompProfilePath == dconfig.SeccompProfileUnconfined:
|
|
c.SeccompProfile = dconfig.SeccompProfileUnconfined
|
|
default:
|
|
s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
|
|
}
|
|
return err
|
|
}
|
|
}
|