daemon: allow "builtin" as valid value for seccomp profiles

This allows containers to use the embedded default profile if a different default is set (e.g. "unconfined") in the daemon configuration. Without this option, users would have to copy the default profile to a file in order to use the default. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-09 12:21:53 -05:00 · 2021-06-07 14:25:52 +02:00 · 2021-06-07 14:25:52 +02:00 · f8795ed364
commit f8795ed364
parent 68e96f88ee
3 changed files with 9 additions and 2 deletions
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@ -1706,7 +1706,7 @@ func maybeCreateCPURealTimeFile(configValue int64, file string, path string) err
 }

 func (daemon *Daemon) setupSeccompProfile() error {
-	if daemon.configStore.SeccompProfile != "" {
+	if daemon.configStore.SeccompProfile != "" && daemon.configStore.SeccompProfile != config.SeccompProfileDefault {
 		daemon.seccompProfilePath = daemon.configStore.SeccompProfile
 		if daemon.configStore.SeccompProfile != config.SeccompProfileUnconfined {
 			b, err := ioutil.ReadFile(daemon.configStore.SeccompProfile)
--- a/daemon/seccomp_linux.go
+++ b/daemon/seccomp_linux.go
@ -26,7 +26,7 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
 			return nil
 		}
 		if !daemon.seccompEnabled {
-			if c.SeccompProfile != "" {
+			if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileDefault {
 				return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")
 			}
 			logrus.Warn("seccomp is not enabled in your kernel, running container without default profile")
@ -35,6 +35,8 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
 		}
 		var err error
 		switch {
+		case c.SeccompProfile == dconfig.SeccompProfileDefault:
+			s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
 		case c.SeccompProfile != "":
 			s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s)
 		case daemon.seccompProfile != nil:
--- a/integration/daemon/daemon_test.go
+++ b/integration/daemon/daemon_test.go
@ -116,6 +116,11 @@ func TestConfigDaemonSeccompProfiles(t *testing.T) {
 			profile:         "",
 			expectedProfile: config.SeccompProfileDefault,
 		},
+		{
+			doc:             "default profile",
+			profile:         config.SeccompProfileDefault,
+			expectedProfile: config.SeccompProfileDefault,
+		},
 		{
 			doc:             "unconfined profile",
 			profile:         config.SeccompProfileUnconfined,