From c9e19a2aa182e06ebe1653a2c3af02563acf9e36 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 9 Jun 2021 11:52:10 -0700 Subject: [PATCH] Remove "seccomp" build tag Similar to the (now removed) `apparmor` build tag, this build-time toggle existed for users who needed to build without the `libseccomp` library. That's no longer necessary, and given the importance of seccomp to the overall default security profile of Docker containers, it makes sense that any binary built for Linux should support (and use by default) seccomp if the underlying host does. Signed-off-by: Tianon Gravi --- Dockerfile | 1 - daemon/seccomp_disabled.go | 26 --------------------- daemon/seccomp_linux.go | 3 --- daemon/seccomp_linux_test.go | 3 --- hack/test/unit | 2 +- integration-cli/requirements_unix_test.go | 2 +- integration-cli/test_vars_noseccomp_test.go | 9 ------- integration-cli/test_vars_seccomp_test.go | 9 ------- profiles/seccomp/default_linux.go | 3 --- profiles/seccomp/seccomp_unsupported.go | 9 ------- project/PACKAGERS.md | 12 +++------- 11 files changed, 5 insertions(+), 74 deletions(-) delete mode 100644 daemon/seccomp_disabled.go delete mode 100644 integration-cli/test_vars_noseccomp_test.go delete mode 100644 integration-cli/test_vars_seccomp_test.go delete mode 100644 profiles/seccomp/seccomp_unsupported.go diff --git a/Dockerfile b/Dockerfile index 4b3cb30a02..0b79732941 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,6 @@ ARG SYSTEMD="false" ARG GO_VERSION=1.18.2 ARG DEBIAN_FRONTEND=noninteractive ARG VPNKIT_VERSION=0.5.0 -ARG DOCKER_BUILDTAGS="apparmor seccomp" ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" diff --git a/daemon/seccomp_disabled.go b/daemon/seccomp_disabled.go deleted file mode 100644 index 5cfe585e16..0000000000 --- a/daemon/seccomp_disabled.go +++ /dev/null @@ -1,26 +0,0 @@ -//go:build linux && !seccomp -// +build linux,!seccomp - -package daemon // import "github.com/docker/docker/daemon" - -import ( - "context" - "fmt" - - "github.com/containerd/containerd/containers" - coci "github.com/containerd/containerd/oci" - "github.com/docker/docker/container" - dconfig "github.com/docker/docker/daemon/config" -) - -const supportsSeccomp = false - -// WithSeccomp sets the seccomp profile -func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts { - return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { - if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileUnconfined { - return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile") - } - return nil - } -} diff --git a/daemon/seccomp_linux.go b/daemon/seccomp_linux.go index 860635e2c1..8336b00392 100644 --- a/daemon/seccomp_linux.go +++ b/daemon/seccomp_linux.go @@ -1,6 +1,3 @@ -//go:build linux && seccomp -// +build linux,seccomp - package daemon // import "github.com/docker/docker/daemon" import ( diff --git a/daemon/seccomp_linux_test.go b/daemon/seccomp_linux_test.go index 93b29e1c12..c44af03446 100644 --- a/daemon/seccomp_linux_test.go +++ b/daemon/seccomp_linux_test.go @@ -1,6 +1,3 @@ -//go:build linux && seccomp -// +build linux,seccomp - package daemon // import "github.com/docker/docker/daemon" import ( diff --git a/hack/test/unit b/hack/test/unit index 7c8ff53adc..454e99291f 100755 --- a/hack/test/unit +++ b/hack/test/unit @@ -12,7 +12,7 @@ # set -eux -o pipefail -BUILDFLAGS=(-tags 'netgo seccomp libdm_no_deferred_remove') +BUILDFLAGS=(-tags 'netgo libdm_no_deferred_remove') TESTFLAGS+=" -test.timeout=${TIMEOUT:-5m}" TESTDIRS="${TESTDIRS:-./...}" exclude_paths='/vendor/|/integration' diff --git a/integration-cli/requirements_unix_test.go b/integration-cli/requirements_unix_test.go index b0cc0e8f11..cc7c911662 100644 --- a/integration-cli/requirements_unix_test.go +++ b/integration-cli/requirements_unix_test.go @@ -62,7 +62,7 @@ func cgroupCpuset() bool { } func seccompEnabled() bool { - return supportsSeccomp && SysInfo.Seccomp + return SysInfo.Seccomp } func bridgeNfIptables() bool { diff --git a/integration-cli/test_vars_noseccomp_test.go b/integration-cli/test_vars_noseccomp_test.go deleted file mode 100644 index 79c7f3bb6e..0000000000 --- a/integration-cli/test_vars_noseccomp_test.go +++ /dev/null @@ -1,9 +0,0 @@ -//go:build !seccomp -// +build !seccomp - -package main - -const ( - // indicates docker daemon built with seccomp support - supportsSeccomp = false -) diff --git a/integration-cli/test_vars_seccomp_test.go b/integration-cli/test_vars_seccomp_test.go deleted file mode 100644 index 0c16cf4ae8..0000000000 --- a/integration-cli/test_vars_seccomp_test.go +++ /dev/null @@ -1,9 +0,0 @@ -//go:build seccomp -// +build seccomp - -package main - -const ( - // indicates docker daemon built with seccomp support - supportsSeccomp = true -) diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index e51f1018aa..7c06e728b7 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -1,6 +1,3 @@ -//go:build seccomp -// +build seccomp - package seccomp // import "github.com/docker/docker/profiles/seccomp" import ( diff --git a/profiles/seccomp/seccomp_unsupported.go b/profiles/seccomp/seccomp_unsupported.go deleted file mode 100644 index d337695e10..0000000000 --- a/profiles/seccomp/seccomp_unsupported.go +++ /dev/null @@ -1,9 +0,0 @@ -//go:build linux && !seccomp -// +build linux,!seccomp - -package seccomp // import "github.com/docker/docker/profiles/seccomp" - -// DefaultProfile returns a nil pointer on unsupported systems. -func DefaultProfile() *Seccomp { - return nil -} diff --git a/project/PACKAGERS.md b/project/PACKAGERS.md index 502a3808b1..62b7ed50d3 100644 --- a/project/PACKAGERS.md +++ b/project/PACKAGERS.md @@ -81,14 +81,8 @@ Please use our build script ("./hack/make.sh") for compilation. ### `DOCKER_BUILDTAGS` -If you're building a binary that might be used on platforms that include -seccomp, you will need to use the `seccomp` build tag: -```bash -export DOCKER_BUILDTAGS='seccomp' -``` - -There are build tags for disabling graphdrivers as well. By default, support -for all graphdrivers are built in. +There are build tags for disabling graphdrivers, if necessary. By default, +support for all graphdrivers are built in. To disable btrfs: ```bash @@ -107,7 +101,7 @@ export DOCKER_BUILDTAGS='exclude_graphdriver_aufs' NOTE: if you need to set more than one build tag, space separate them: ```bash -export DOCKER_BUILDTAGS='apparmor exclude_graphdriver_aufs' +export DOCKER_BUILDTAGS='exclude_graphdriver_aufs exclude_graphdriver_btrfs' ``` ## System Dependencies