From f8795ed364586acd93f72e206a409e7e0e27edcc Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Mon, 7 Jun 2021 14:25:52 +0200
Subject: [PATCH] daemon: allow "builtin" as valid value for seccomp profiles

This allows containers to use the embedded default profile if a different
default is set (e.g. "unconfined") in the daemon configuration. Without this
option, users would have to copy the default profile to a file in order to
use the default.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 daemon/daemon_unix.go             | 2 +-
 daemon/seccomp_linux.go           | 4 +++-
 integration/daemon/daemon_test.go | 5 +++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
index 05f790ee2c..b3c5e0be7b 100644
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@@ -1706,7 +1706,7 @@ func maybeCreateCPURealTimeFile(configValue int64, file string, path string) err
 }
 
 func (daemon *Daemon) setupSeccompProfile() error {
-	if daemon.configStore.SeccompProfile != "" {
+	if daemon.configStore.SeccompProfile != "" && daemon.configStore.SeccompProfile != config.SeccompProfileDefault {
 		daemon.seccompProfilePath = daemon.configStore.SeccompProfile
 		if daemon.configStore.SeccompProfile != config.SeccompProfileUnconfined {
 			b, err := ioutil.ReadFile(daemon.configStore.SeccompProfile)
diff --git a/daemon/seccomp_linux.go b/daemon/seccomp_linux.go
index d871e43ae8..c742f0924e 100644
--- a/daemon/seccomp_linux.go
+++ b/daemon/seccomp_linux.go
@@ -26,7 +26,7 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
 			return nil
 		}
 		if !daemon.seccompEnabled {
-			if c.SeccompProfile != "" {
+			if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileDefault {
 				return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")
 			}
 			logrus.Warn("seccomp is not enabled in your kernel, running container without default profile")
@@ -35,6 +35,8 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
 		}
 		var err error
 		switch {
+		case c.SeccompProfile == dconfig.SeccompProfileDefault:
+			s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
 		case c.SeccompProfile != "":
 			s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s)
 		case daemon.seccompProfile != nil:
diff --git a/integration/daemon/daemon_test.go b/integration/daemon/daemon_test.go
index 4be41e0472..d33868f6d7 100644
--- a/integration/daemon/daemon_test.go
+++ b/integration/daemon/daemon_test.go
@@ -116,6 +116,11 @@ func TestConfigDaemonSeccompProfiles(t *testing.T) {
 			profile:         "",
 			expectedProfile: config.SeccompProfileDefault,
 		},
+		{
+			doc:             "default profile",
+			profile:         config.SeccompProfileDefault,
+			expectedProfile: config.SeccompProfileDefault,
+		},
 		{
 			doc:             "unconfined profile",
 			profile:         config.SeccompProfileUnconfined,