github.com/rumpl/bof@v23.0.0-rc.2+incompatible/daemon/seccomp_linux.go (about) 1 package daemon // import "github.com/docker/docker/daemon" 2 3 import ( 4 "context" 5 "fmt" 6 7 "github.com/containerd/containerd/containers" 8 coci "github.com/containerd/containerd/oci" 9 "github.com/docker/docker/container" 10 dconfig "github.com/docker/docker/daemon/config" 11 "github.com/docker/docker/profiles/seccomp" 12 "github.com/sirupsen/logrus" 13 ) 14 15 const supportsSeccomp = true 16 17 // WithSeccomp sets the seccomp profile 18 func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts { 19 return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { 20 if c.SeccompProfile == dconfig.SeccompProfileUnconfined { 21 return nil 22 } 23 if c.HostConfig.Privileged { 24 return nil 25 } 26 if !daemon.RawSysInfo().Seccomp { 27 if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileDefault { 28 return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile") 29 } 30 logrus.Warn("seccomp is not enabled in your kernel, running container without default profile") 31 c.SeccompProfile = dconfig.SeccompProfileUnconfined 32 return nil 33 } 34 var err error 35 switch { 36 case c.SeccompProfile == dconfig.SeccompProfileDefault: 37 s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s) 38 case c.SeccompProfile != "": 39 s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s) 40 case daemon.seccompProfile != nil: 41 s.Linux.Seccomp, err = seccomp.LoadProfile(string(daemon.seccompProfile), s) 42 case daemon.seccompProfilePath == dconfig.SeccompProfileUnconfined: 43 c.SeccompProfile = dconfig.SeccompProfileUnconfined 44 default: 45 s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s) 46 } 47 return err 48 } 49 }