From 27aaadb7104b944f350765edfcd87143aec9ae43 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 7 Jul 2021 13:09:54 +0200 Subject: [PATCH] daemon: normalize seccomp profile as part of setupSeccompProfile() This makes sure that the value set in the daemon can be used as-is, without having to replicate the normalization logic elsewhere. Signed-off-by: Sebastiaan van Stijn --- daemon/daemon_unix.go | 19 +++++++++++-------- daemon/info.go | 8 ++------ 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go index b3c5e0be7b..dca8beb739 100644 --- a/daemon/daemon_unix.go +++ b/daemon/daemon_unix.go @@ -1706,15 +1706,18 @@ func maybeCreateCPURealTimeFile(configValue int64, file string, path string) err } func (daemon *Daemon) setupSeccompProfile() error { - if daemon.configStore.SeccompProfile != "" && daemon.configStore.SeccompProfile != config.SeccompProfileDefault { - daemon.seccompProfilePath = daemon.configStore.SeccompProfile - if daemon.configStore.SeccompProfile != config.SeccompProfileUnconfined { - b, err := ioutil.ReadFile(daemon.configStore.SeccompProfile) - if err != nil { - return fmt.Errorf("opening seccomp profile (%s) failed: %v", daemon.configStore.SeccompProfile, err) - } - daemon.seccompProfile = b + switch profile := daemon.configStore.SeccompProfile; profile { + case "", config.SeccompProfileDefault: + daemon.seccompProfilePath = config.SeccompProfileDefault + case config.SeccompProfileUnconfined: + daemon.seccompProfilePath = config.SeccompProfileUnconfined + default: + daemon.seccompProfilePath = profile + b, err := ioutil.ReadFile(profile) + if err != nil { + return fmt.Errorf("opening seccomp profile (%s) failed: %v", profile, err) } + daemon.seccompProfile = b } return nil } diff --git a/daemon/info.go b/daemon/info.go index d1ccf776b8..1ffa3aeeb4 100644 --- a/daemon/info.go +++ b/daemon/info.go @@ -172,14 +172,10 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf securityOptions = append(securityOptions, "name=apparmor") } if sysInfo.Seccomp && supportsSeccomp { - profile := daemon.seccompProfilePath - if profile == "" { - profile = config.SeccompProfileDefault - } - if profile != config.SeccompProfileDefault { + if daemon.seccompProfilePath != config.SeccompProfileDefault { v.Warnings = append(v.Warnings, "WARNING: daemon is not using the default seccomp profile") } - securityOptions = append(securityOptions, fmt.Sprintf("name=seccomp,profile=%s", profile)) + securityOptions = append(securityOptions, "name=seccomp,profile="+daemon.seccompProfilePath) } if selinux.GetEnabled() { securityOptions = append(securityOptions, "name=selinux")