kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

daemon: normalize seccomp profile as part of setupSeccompProfile()

Browse source 
This makes sure that the value set in the daemon can be used as-is,
without having to replicate the normalization logic elsewhere.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2021-07-07 13:09:54 +02:00
parent 04f932ac86
commit 27aaadb710
No known key found for this signature in database
GPG key ID: 76698F39D527CE8C
2 changed files with 13 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
daemon/daemon_unix.go
View file

@ -1706,16 +1706,19 @@ func maybeCreateCPURealTimeFile(configValue int64, file string, path string) err
}
func (daemon *Daemon) setupSeccompProfile() error {
if daemon.configStore.SeccompProfile != "" && daemon.configStore.SeccompProfile != config.SeccompProfileDefault {
daemon.seccompProfilePath = daemon.configStore.SeccompProfile
if daemon.configStore.SeccompProfile != config.SeccompProfileUnconfined {
b, err := ioutil.ReadFile(daemon.configStore.SeccompProfile)
switch profile := daemon.configStore.SeccompProfile; profile {
case "", config.SeccompProfileDefault:
daemon.seccompProfilePath = config.SeccompProfileDefault
case config.SeccompProfileUnconfined:
daemon.seccompProfilePath = config.SeccompProfileUnconfined
default:
daemon.seccompProfilePath = profile
b, err := ioutil.ReadFile(profile)
if err != nil {
return fmt.Errorf("opening seccomp profile (%s) failed: %v", daemon.configStore.SeccompProfile, err)
return fmt.Errorf("opening seccomp profile (%s) failed: %v", profile, err)
}
daemon.seccompProfile = b
}
}
return nil
}

8
daemon/info.go
View file

@ -172,14 +172,10 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf
securityOptions = append(securityOptions, "name=apparmor")
}
if sysInfo.Seccomp && supportsSeccomp {
profile := daemon.seccompProfilePath
if profile == "" {
profile = config.SeccompProfileDefault
}
if profile != config.SeccompProfileDefault {
if daemon.seccompProfilePath != config.SeccompProfileDefault {
v.Warnings = append(v.Warnings, "WARNING: daemon is not using the default seccomp profile")
}
securityOptions = append(securityOptions, fmt.Sprintf("name=seccomp,profile=%s", profile))
securityOptions = append(securityOptions, "name=seccomp,profile="+daemon.seccompProfilePath)
}
if selinux.GetEnabled() {
securityOptions = append(securityOptions, "name=selinux")