@@ -10,7 +10,6 @@ import (

 	coci "github.com/containerd/containerd/oci"

 	"github.com/docker/docker/container"

 	"github.com/docker/docker/profiles/seccomp"

-	specs "github.com/opencontainers/runtime-spec/specs-go"

 	"github.com/sirupsen/logrus"

 )

@@ -19,43 +18,29 @@ const supportsSeccomp = true

 // WithSeccomp sets the seccomp profile

 func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {

 	return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {

-		var profile *specs.LinuxSeccomp

-		var err error

-

+		if c.SeccompProfile == "unconfined" {

+			return nil

+		}

 		if c.HostConfig.Privileged {

 			return nil

 		}

-

 		if !daemon.seccompEnabled {

-			if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {

+			if c.SeccompProfile != "" {

 				return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")

 			}

 			logrus.Warn("seccomp is not enabled in your kernel, running container without default profile")

 			c.SeccompProfile = "unconfined"

-		}

-		if c.SeccompProfile == "unconfined" {

 			return nil

 		}

-		if c.SeccompProfile != "" {

-			profile, err = seccomp.LoadProfile(c.SeccompProfile, s)

-			if err != nil {

-				return err

-			}

-		} else {

-			if daemon.seccompProfile != nil {

-				profile, err = seccomp.LoadProfile(string(daemon.seccompProfile), s)

-				if err != nil {

-					return err

-				}

-			} else {

-				profile, err = seccomp.GetDefaultProfile(s)

-				if err != nil {

-					return err

-				}

-			}

+		var err error

+		switch {

+		case c.SeccompProfile != "":

+			s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s)

+		case daemon.seccompProfile != nil:

+			s.Linux.Seccomp, err = seccomp.LoadProfile(string(daemon.seccompProfile), s)

+		default:

+			s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)

 		}

-

-		s.Linux.Seccomp = profile

-		return nil

+		return err

 	}

 }