1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
moby--moby/daemon/seccomp_linux.go
Yong Tang adbb169463 Fix seccomp output in docker info
This fix tries to address the issue raised in #24374 where
`docker info` outputs seccomp support in Ubuntu 14.04 but
the seccomp wass not actually supported.

The issue is that in the current docker implementation, seccomp
support is only checked against the kernel by inspect CONFIG_SECCOMP
and CONFIG_SECCOMP_FILTER. However, seccomp might not be enabled
when building docker (through golang build flag).

This fix adds a supportSeccomp boolean variable. The supportSeccomp
is only set to true when seccomp is enabled when building docker.

This fix fixes #24374.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit a3b9dd89a1)
Signed-off-by: Tibor Vass <tibor@docker.com>
2016-07-12 15:43:38 -07:00

48 lines
1 KiB
Go

// +build linux,seccomp
package daemon
import (
"fmt"
"github.com/Sirupsen/logrus"
"github.com/docker/docker/container"
"github.com/docker/docker/profiles/seccomp"
"github.com/opencontainers/specs/specs-go"
)
var supportsSeccomp = true
func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
var profile *specs.Seccomp
var err error
if c.HostConfig.Privileged {
return nil
}
if !daemon.seccompEnabled {
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
}
logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
c.SeccompProfile = "unconfined"
}
if c.SeccompProfile == "unconfined" {
return nil
}
if c.SeccompProfile != "" {
profile, err = seccomp.LoadProfile(c.SeccompProfile)
if err != nil {
return err
}
} else {
profile, err = seccomp.GetDefaultProfile(rs)
if err != nil {
return err
}
}
rs.Linux.Seccomp = profile
return nil
}