github.com/containers/podman/v2@v2.2.2-0.20210501105131-c1e07d070c4c/pkg/specgen/generate/config_linux_cgo.go

github.com/containers/podman/v2@v2.2.2-0.20210501105131-c1e07d070c4c/pkg/specgen/generate/config_linux_cgo.go (about)

     1  // +build linux,cgo
     2  
     3  package generate
     4  
     5  import (
     6  	"context"
     7  	"io/ioutil"
     8  
     9  	goSeccomp "github.com/containers/common/pkg/seccomp"
    10  	"github.com/containers/podman/v2/libpod/image"
    11  	"github.com/containers/podman/v2/pkg/seccomp"
    12  	"github.com/containers/podman/v2/pkg/specgen"
    13  	spec "github.com/opencontainers/runtime-spec/specs-go"
    14  	"github.com/pkg/errors"
    15  	"github.com/sirupsen/logrus"
    16  )
    17  
    18  func getSeccompConfig(s *specgen.SpecGenerator, configSpec *spec.Spec, img *image.Image) (*spec.LinuxSeccomp, error) {
    19  	var seccompConfig *spec.LinuxSeccomp
    20  	var err error
    21  	scp, err := seccomp.LookupPolicy(s.SeccompPolicy)
    22  	if err != nil {
    23  		return nil, err
    24  	}
    25  
    26  	if scp == seccomp.PolicyImage {
    27  		if img == nil {
    28  			return nil, errors.New("cannot read seccomp profile without a valid image")
    29  		}
    30  		labels, err := img.Labels(context.Background())
    31  		if err != nil {
    32  			return nil, err
    33  		}
    34  		imagePolicy := labels[seccomp.ContainerImageLabel]
    35  		if len(imagePolicy) < 1 {
    36  			return nil, errors.New("no seccomp policy defined by image")
    37  		}
    38  		logrus.Debug("Loading seccomp profile from the security config")
    39  		seccompConfig, err = goSeccomp.LoadProfile(imagePolicy, configSpec)
    40  		if err != nil {
    41  			return nil, errors.Wrap(err, "loading seccomp profile failed")
    42  		}
    43  		return seccompConfig, nil
    44  	}
    45  
    46  	if s.SeccompProfilePath != "" {
    47  		logrus.Debugf("Loading seccomp profile from %q", s.SeccompProfilePath)
    48  		seccompProfile, err := ioutil.ReadFile(s.SeccompProfilePath)
    49  		if err != nil {
    50  			return nil, errors.Wrap(err, "opening seccomp profile failed")
    51  		}
    52  		seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec)
    53  		if err != nil {
    54  			return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", s.SeccompProfilePath)
    55  		}
    56  	} else {
    57  		logrus.Debug("Loading default seccomp profile")
    58  		seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec)
    59  		if err != nil {
    60  			return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", s.SeccompProfilePath)
    61  		}
    62  	}
    63  
    64  	return seccompConfig, nil
    65  }