github.com/rawahars/moby@v24.0.4+incompatible/daemon/seccomp_linux.go (about) 1 package daemon // import "github.com/docker/docker/daemon" 2 3 import ( 4 "context" 5 "fmt" 6 7 "github.com/containerd/containerd/containers" 8 coci "github.com/containerd/containerd/oci" 9 "github.com/docker/docker/container" 10 dconfig "github.com/docker/docker/daemon/config" 11 "github.com/docker/docker/profiles/seccomp" 12 specs "github.com/opencontainers/runtime-spec/specs-go" 13 "github.com/sirupsen/logrus" 14 ) 15 16 const supportsSeccomp = true 17 18 // WithSeccomp sets the seccomp profile 19 func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts { 20 return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { 21 if c.SeccompProfile == dconfig.SeccompProfileUnconfined { 22 return nil 23 } 24 if c.HostConfig.Privileged { 25 return nil 26 } 27 if !daemon.RawSysInfo().Seccomp { 28 if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileDefault { 29 return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile") 30 } 31 logrus.Warn("seccomp is not enabled in your kernel, running container without default profile") 32 c.SeccompProfile = dconfig.SeccompProfileUnconfined 33 return nil 34 } 35 if s.Linux == nil { 36 s.Linux = &specs.Linux{} 37 } 38 var err error 39 switch { 40 case c.SeccompProfile == dconfig.SeccompProfileDefault: 41 s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s) 42 case c.SeccompProfile != "": 43 s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s) 44 case daemon.seccompProfile != nil: 45 s.Linux.Seccomp, err = seccomp.LoadProfile(string(daemon.seccompProfile), s) 46 case daemon.seccompProfilePath == dconfig.SeccompProfileUnconfined: 47 c.SeccompProfile = dconfig.SeccompProfileUnconfined 48 default: 49 s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s) 50 } 51 return err 52 } 53 }