9c4570a9 |
// +build linux,seccomp
|
4f0d95fa |
package daemon // import "github.com/docker/docker/daemon" |
9c4570a9 |
import ( |
c4785536 |
"context" |
9c4570a9 |
"fmt"
|
c4785536 |
"github.com/containerd/containerd/containers"
coci "github.com/containerd/containerd/oci" |
9c4570a9 |
"github.com/docker/docker/container" |
99b16b35 |
"github.com/docker/docker/profiles/seccomp" |
1009e6a4 |
"github.com/sirupsen/logrus" |
9c4570a9 |
)
|
717575b5 |
const supportsSeccomp = true |
a3b9dd89 |
|
c4785536 |
// WithSeccomp sets the seccomp profile
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { |
a8e7115f |
if c.SeccompProfile == "unconfined" {
return nil
} |
c4785536 |
if c.HostConfig.Privileged {
return nil
}
if !daemon.seccompEnabled { |
a8e7115f |
if c.SeccompProfile != "" { |
8695176d |
return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile") |
c4785536 |
} |
8695176d |
logrus.Warn("seccomp is not enabled in your kernel, running container without default profile") |
c4785536 |
c.SeccompProfile = "unconfined"
return nil |
9c4570a9 |
} |
a8e7115f |
var err error
switch {
case c.SeccompProfile != "":
s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s)
case daemon.seccompProfile != nil:
s.Linux.Seccomp, err = seccomp.LoadProfile(string(daemon.seccompProfile), s)
default:
s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s) |
9c4570a9 |
} |
a8e7115f |
return err |
c4785536 |
} |
9c4570a9 |
} |