Browse code
Error out if user tries to specify a custom seccomp profile on system that does not support it
Fixes #23031
If a profile is explicitly passed but the system is not built with seccomp support,
error out rather than just running without a profile at all as we would previously.
Behaviour is unchanged if no profile is specified or unconfined is specified.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack authored on 2016/06/01 00:54:55Showing 1 changed files
| ... | ... |
@@ -3,10 +3,15 @@ |
| 3 | 3 |
package daemon |
| 4 | 4 |
|
| 5 | 5 |
import ( |
| 6 |
+ "fmt" |
|
| 7 |
+ |
|
| 6 | 8 |
"github.com/docker/docker/container" |
| 7 | 9 |
"github.com/opencontainers/specs/specs-go" |
| 8 | 10 |
) |
| 9 | 11 |
|
| 10 | 12 |
func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
|
| 13 |
+ if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
|
|
| 14 |
+ return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile")
|
|
| 15 |
+ } |
|
| 11 | 16 |
return nil |
| 12 | 17 |
} |