From ee02257553d80c3bb41e3b0ad44cb4e3324bfd65 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 7 Jun 2021 13:44:32 +0200 Subject: [PATCH] Add const for "unconfined" and default seccomp profiles Signed-off-by: Sebastiaan van Stijn --- daemon/config/config.go | 6 ++++++ daemon/info.go | 2 +- daemon/seccomp_disabled.go | 3 ++- daemon/seccomp_linux.go | 5 +++-- daemon/seccomp_linux_test.go | 3 ++- integration-cli/docker_cli_info_unix_test.go | 3 ++- 6 files changed, 16 insertions(+), 6 deletions(-) diff --git a/daemon/config/config.go b/daemon/config/config.go index 01d167fc0e..925fc9cb76 100644 --- a/daemon/config/config.go +++ b/daemon/config/config.go @@ -58,6 +58,12 @@ const ( LinuxV1RuntimeName = "io.containerd.runtime.v1.linux" // LinuxV2RuntimeName is the runtime used to specify the containerd v2 runc shim LinuxV2RuntimeName = "io.containerd.runc.v2" + + // SeccompProfileDefault is the built-in default seccomp profile. + SeccompProfileDefault = "default" + // SeccompProfileUnconfined is a special profile name for seccomp to use an + // "unconfined" seccomp profile. + SeccompProfileUnconfined = "unconfined" ) var builtinRuntimes = map[string]bool{ diff --git a/daemon/info.go b/daemon/info.go index 7c9f7e6ab8..9994affb6b 100644 --- a/daemon/info.go +++ b/daemon/info.go @@ -174,7 +174,7 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf if sysInfo.Seccomp && supportsSeccomp { profile := daemon.seccompProfilePath if profile == "" { - profile = "default" + profile = config.SeccompProfileDefault } securityOptions = append(securityOptions, fmt.Sprintf("name=seccomp,profile=%s", profile)) } diff --git a/daemon/seccomp_disabled.go b/daemon/seccomp_disabled.go index fff9cbe4c6..a05c58c950 100644 --- a/daemon/seccomp_disabled.go +++ b/daemon/seccomp_disabled.go @@ -9,6 +9,7 @@ import ( "github.com/containerd/containerd/containers" coci "github.com/containerd/containerd/oci" "github.com/docker/docker/container" + dconfig "github.com/docker/docker/daemon/config" ) const supportsSeccomp = false @@ -16,7 +17,7 @@ const supportsSeccomp = false // WithSeccomp sets the seccomp profile func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts { return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { - if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" { + if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileUnconfined { return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile") } return nil diff --git a/daemon/seccomp_linux.go b/daemon/seccomp_linux.go index 7fa1a490de..7b07a53d0a 100644 --- a/daemon/seccomp_linux.go +++ b/daemon/seccomp_linux.go @@ -9,6 +9,7 @@ import ( "github.com/containerd/containerd/containers" coci "github.com/containerd/containerd/oci" "github.com/docker/docker/container" + dconfig "github.com/docker/docker/daemon/config" "github.com/docker/docker/profiles/seccomp" "github.com/sirupsen/logrus" ) @@ -18,7 +19,7 @@ const supportsSeccomp = true // WithSeccomp sets the seccomp profile func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts { return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { - if c.SeccompProfile == "unconfined" { + if c.SeccompProfile == dconfig.SeccompProfileUnconfined { return nil } if c.HostConfig.Privileged { @@ -29,7 +30,7 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts { return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile") } logrus.Warn("seccomp is not enabled in your kernel, running container without default profile") - c.SeccompProfile = "unconfined" + c.SeccompProfile = dconfig.SeccompProfileUnconfined return nil } var err error diff --git a/daemon/seccomp_linux_test.go b/daemon/seccomp_linux_test.go index 013df72afd..8735e4bd23 100644 --- a/daemon/seccomp_linux_test.go +++ b/daemon/seccomp_linux_test.go @@ -8,6 +8,7 @@ import ( coci "github.com/containerd/containerd/oci" config "github.com/docker/docker/api/types/container" "github.com/docker/docker/container" + dconfig "github.com/docker/docker/daemon/config" doci "github.com/docker/docker/oci" "github.com/docker/docker/profiles/seccomp" specs "github.com/opencontainers/runtime-spec/specs-go" @@ -32,7 +33,7 @@ func TestWithSeccomp(t *testing.T) { seccompEnabled: true, }, c: &container.Container{ - SeccompProfile: "unconfined", + SeccompProfile: dconfig.SeccompProfileUnconfined, HostConfig: &config.HostConfig{ Privileged: false, }, diff --git a/integration-cli/docker_cli_info_unix_test.go b/integration-cli/docker_cli_info_unix_test.go index 21c5a5eb5d..d7abbf44cb 100644 --- a/integration-cli/docker_cli_info_unix_test.go +++ b/integration-cli/docker_cli_info_unix_test.go @@ -7,6 +7,7 @@ import ( "testing" "github.com/docker/docker/client" + "github.com/docker/docker/daemon/config" "gotest.tools/v3/assert" is "gotest.tools/v3/assert/cmp" ) @@ -27,6 +28,6 @@ func (s *DockerSuite) TestInfoSecurityOptions(c *testing.T) { assert.Check(c, is.Contains(info.SecurityOptions, "name=apparmor")) } if seccompEnabled() { - assert.Check(c, is.Contains(info.SecurityOptions, "name=seccomp,profile=default")) + assert.Check(c, is.Contains(info.SecurityOptions, "name=seccomp,profile="+config.SeccompProfileDefault)) } }