github.com/containers/podman/v4@v4.9.4/pkg/specgen/generate/config_linux_seccomp.go

github.com/containers/podman/v4@v4.9.4/pkg/specgen/generate/config_linux_seccomp.go (about)

     1  //go:build linux && !remote
     2  // +build linux,!remote
     3  
     4  package generate
     5  
     6  import (
     7  	"context"
     8  	"errors"
     9  	"fmt"
    10  	"os"
    11  
    12  	"github.com/containers/common/libimage"
    13  	goSeccomp "github.com/containers/common/pkg/seccomp"
    14  	"github.com/containers/podman/v4/pkg/seccomp"
    15  	"github.com/containers/podman/v4/pkg/specgen"
    16  	spec "github.com/opencontainers/runtime-spec/specs-go"
    17  	"github.com/sirupsen/logrus"
    18  )
    19  
    20  func getSeccompConfig(s *specgen.SpecGenerator, configSpec *spec.Spec, img *libimage.Image) (*spec.LinuxSeccomp, error) {
    21  	var seccompConfig *spec.LinuxSeccomp
    22  	var err error
    23  	scp, err := seccomp.LookupPolicy(s.SeccompPolicy)
    24  	if err != nil {
    25  		return nil, err
    26  	}
    27  
    28  	if scp == seccomp.PolicyImage {
    29  		if img == nil {
    30  			return nil, errors.New("cannot read seccomp profile without a valid image")
    31  		}
    32  		labels, err := img.Labels(context.Background())
    33  		if err != nil {
    34  			return nil, err
    35  		}
    36  		imagePolicy := labels[seccomp.ContainerImageLabel]
    37  		if len(imagePolicy) < 1 {
    38  			return nil, errors.New("no seccomp policy defined by image")
    39  		}
    40  		logrus.Debug("Loading seccomp profile from the security config")
    41  		seccompConfig, err = goSeccomp.LoadProfile(imagePolicy, configSpec)
    42  		if err != nil {
    43  			return nil, fmt.Errorf("loading seccomp profile failed: %w", err)
    44  		}
    45  		return seccompConfig, nil
    46  	}
    47  
    48  	if s.SeccompProfilePath != "" {
    49  		logrus.Debugf("Loading seccomp profile from %q", s.SeccompProfilePath)
    50  		seccompProfile, err := os.ReadFile(s.SeccompProfilePath)
    51  		if err != nil {
    52  			return nil, fmt.Errorf("opening seccomp profile failed: %w", err)
    53  		}
    54  		seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec)
    55  		if err != nil {
    56  			return nil, fmt.Errorf("loading seccomp profile (%s) failed: %w", s.SeccompProfilePath, err)
    57  		}
    58  	} else {
    59  		logrus.Debug("Loading default seccomp profile")
    60  		seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec)
    61  		if err != nil {
    62  			return nil, fmt.Errorf("loading seccomp profile (%s) failed: %w", s.SeccompProfilePath, err)
    63  		}
    64  	}
    65  
    66  	return seccompConfig, nil
    67  }