github.com/docker/docker@v299999999.0.0-20200612211812-aaf470eca7b5+incompatible/daemon/seccomp_linux.go (about) 1 // +build linux,seccomp 2 3 package daemon // import "github.com/docker/docker/daemon" 4 5 import ( 6 "context" 7 "fmt" 8 9 "github.com/containerd/containerd/containers" 10 coci "github.com/containerd/containerd/oci" 11 "github.com/docker/docker/container" 12 "github.com/docker/docker/profiles/seccomp" 13 specs "github.com/opencontainers/runtime-spec/specs-go" 14 "github.com/sirupsen/logrus" 15 ) 16 17 const supportsSeccomp = true 18 19 // WithSeccomp sets the seccomp profile 20 func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts { 21 return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { 22 var profile *specs.LinuxSeccomp 23 var err error 24 25 if c.HostConfig.Privileged { 26 return nil 27 } 28 29 if !daemon.seccompEnabled { 30 if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" { 31 return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile") 32 } 33 logrus.Warn("seccomp is not enabled in your kernel, running container without default profile") 34 c.SeccompProfile = "unconfined" 35 } 36 if c.SeccompProfile == "unconfined" { 37 return nil 38 } 39 if c.SeccompProfile != "" { 40 profile, err = seccomp.LoadProfile(c.SeccompProfile, s) 41 if err != nil { 42 return err 43 } 44 } else { 45 if daemon.seccompProfile != nil { 46 profile, err = seccomp.LoadProfile(string(daemon.seccompProfile), s) 47 if err != nil { 48 return err 49 } 50 } else { 51 profile, err = seccomp.GetDefaultProfile(s) 52 if err != nil { 53 return err 54 } 55 } 56 } 57 58 s.Linux.Seccomp = profile 59 return nil 60 } 61 }