daemon: normalize seccomp profile as part of setupSeccompProfile()

This makes sure that the value set in the daemon can be used as-is, without having to replicate the normalization logic elsewhere. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-09 12:21:53 -05:00 · 2021-07-07 13:09:54 +02:00 · 2021-07-07 13:09:54 +02:00 · 27aaadb710
commit 27aaadb710
parent 04f932ac86
2 changed files with 13 additions and 14 deletions
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@ -1706,15 +1706,18 @@ func maybeCreateCPURealTimeFile(configValue int64, file string, path string) err
 }

 func (daemon *Daemon) setupSeccompProfile() error {
-	if daemon.configStore.SeccompProfile != "" && daemon.configStore.SeccompProfile != config.SeccompProfileDefault {
-		daemon.seccompProfilePath = daemon.configStore.SeccompProfile
-		if daemon.configStore.SeccompProfile != config.SeccompProfileUnconfined {
-			b, err := ioutil.ReadFile(daemon.configStore.SeccompProfile)
-			if err != nil {
-				return fmt.Errorf("opening seccomp profile (%s) failed: %v", daemon.configStore.SeccompProfile, err)
-			}
-			daemon.seccompProfile = b
+	switch profile := daemon.configStore.SeccompProfile; profile {
+	case "", config.SeccompProfileDefault:
+		daemon.seccompProfilePath = config.SeccompProfileDefault
+	case config.SeccompProfileUnconfined:
+		daemon.seccompProfilePath = config.SeccompProfileUnconfined
+	default:
+		daemon.seccompProfilePath = profile
+		b, err := ioutil.ReadFile(profile)
+		if err != nil {
+			return fmt.Errorf("opening seccomp profile (%s) failed: %v", profile, err)
 		}
+		daemon.seccompProfile = b
 	}
 	return nil
 }
--- a/daemon/info.go
+++ b/daemon/info.go
@ -172,14 +172,10 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf
 		securityOptions = append(securityOptions, "name=apparmor")
 	}
 	if sysInfo.Seccomp && supportsSeccomp {
-		profile := daemon.seccompProfilePath
-		if profile == "" {
-			profile = config.SeccompProfileDefault
-		}
-		if profile != config.SeccompProfileDefault {
+		if daemon.seccompProfilePath != config.SeccompProfileDefault {
 			v.Warnings = append(v.Warnings, "WARNING: daemon is not using the default seccomp profile")
 		}
-		securityOptions = append(securityOptions, fmt.Sprintf("name=seccomp,profile=%s", profile))
+		securityOptions = append(securityOptions, "name=seccomp,profile="+daemon.seccompProfilePath)
 	}
 	if selinux.GetEnabled() {
 		securityOptions = append(securityOptions, "name=selinux")