Browse code
Remove "seccomp" build tag
Similar to the (now removed) `apparmor` build tag, this build-time toggle existed for users who needed to build without the `libseccomp` library. That's no longer necessary, and given the importance of seccomp to the overall default security profile of Docker containers, it makes sense that any binary built for Linux should support (and use by default) seccomp if the underlying host does.
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
Tianon Gravi authored on 2021/06/10 03:52:10Showing 11 changed files
- Dockerfile
- daemon/seccomp_disabled.go
- daemon/seccomp_linux.go
- daemon/seccomp_linux_test.go
- hack/test/unit
- integration-cli/requirements_unix_test.go
- integration-cli/test_vars_noseccomp_test.go
- integration-cli/test_vars_seccomp_test.go
- profiles/seccomp/default_linux.go
- profiles/seccomp/seccomp_unsupported.go
- project/PACKAGERS.md
| 12 | 11 |
deleted file mode 100644 |
| ... | ... |
@@ -1,26 +0,0 @@ |
| 1 |
-//go:build linux && !seccomp |
|
| 2 |
-// +build linux,!seccomp |
|
| 3 |
- |
|
| 4 |
-package daemon // import "github.com/docker/docker/daemon" |
|
| 5 |
- |
|
| 6 |
-import ( |
|
| 7 |
- "context" |
|
| 8 |
- "fmt" |
|
| 9 |
- |
|
| 10 |
- "github.com/containerd/containerd/containers" |
|
| 11 |
- coci "github.com/containerd/containerd/oci" |
|
| 12 |
- "github.com/docker/docker/container" |
|
| 13 |
- dconfig "github.com/docker/docker/daemon/config" |
|
| 14 |
-) |
|
| 15 |
- |
|
| 16 |
-const supportsSeccomp = false |
|
| 17 |
- |
|
| 18 |
-// WithSeccomp sets the seccomp profile |
|
| 19 |
-func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
|
| 20 |
- return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
|
|
| 21 |
- if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileUnconfined {
|
|
| 22 |
- return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile")
|
|
| 23 |
- } |
|
| 24 |
- return nil |
|
| 25 |
- } |
|
| 26 |
-} |
| ... | ... |
@@ -12,7 +12,7 @@ |
| 12 | 12 |
# |
| 13 | 13 |
set -eux -o pipefail |
| 14 | 14 |
|
| 15 |
-BUILDFLAGS=(-tags 'netgo seccomp libdm_no_deferred_remove') |
|
| 15 |
+BUILDFLAGS=(-tags 'netgo libdm_no_deferred_remove') |
|
| 16 | 16 |
TESTFLAGS+=" -test.timeout=${TIMEOUT:-5m}"
|
| 17 | 17 |
TESTDIRS="${TESTDIRS:-./...}"
|
| 18 | 18 |
exclude_paths='/vendor/|/integration' |
| 7 | 4 |
deleted file mode 100644 |
| ... | ... |
@@ -1,9 +0,0 @@ |
| 1 |
-//go:build linux && !seccomp |
|
| 2 |
-// +build linux,!seccomp |
|
| 3 |
- |
|
| 4 |
-package seccomp // import "github.com/docker/docker/profiles/seccomp" |
|
| 5 |
- |
|
| 6 |
-// DefaultProfile returns a nil pointer on unsupported systems. |
|
| 7 |
-func DefaultProfile() *Seccomp {
|
|
| 8 |
- return nil |
|
| 9 |
-} |
| ... | ... |
@@ -81,14 +81,8 @@ Please use our build script ("./hack/make.sh") for compilation.
|
| 81 | 81 |
|
| 82 | 82 |
### `DOCKER_BUILDTAGS` |
| 83 | 83 |
|
| 84 |
-If you're building a binary that might be used on platforms that include |
|
| 85 |
-seccomp, you will need to use the `seccomp` build tag: |
|
| 86 |
-```bash |
|
| 87 |
-export DOCKER_BUILDTAGS='seccomp' |
|
| 88 |
-``` |
|
| 89 |
- |
|
| 90 |
-There are build tags for disabling graphdrivers as well. By default, support |
|
| 91 |
-for all graphdrivers are built in. |
|
| 84 |
+There are build tags for disabling graphdrivers, if necessary. By default, |
|
| 85 |
+support for all graphdrivers are built in. |
|
| 92 | 86 |
|
| 93 | 87 |
To disable btrfs: |
| 94 | 88 |
```bash |
| ... | ... |
@@ -107,7 +101,7 @@ export DOCKER_BUILDTAGS='exclude_graphdriver_aufs' |
| 107 | 107 |
|
| 108 | 108 |
NOTE: if you need to set more than one build tag, space separate them: |
| 109 | 109 |
```bash |
| 110 |
-export DOCKER_BUILDTAGS='apparmor exclude_graphdriver_aufs' |
|
| 110 |
+export DOCKER_BUILDTAGS='exclude_graphdriver_aufs exclude_graphdriver_btrfs' |
|
| 111 | 111 |
``` |
| 112 | 112 |
|
| 113 | 113 |
## System Dependencies |