github.com/sijibomii/docker@v0.0.0-20231230191044-5cf6ca554647/daemon/seccomp_linux.go

github.com/sijibomii/docker@v0.0.0-20231230191044-5cf6ca554647/daemon/seccomp_linux.go (about)

     1  // +build linux,seccomp
     2  
     3  package daemon
     4  
     5  import (
     6  	"fmt"
     7  
     8  	"github.com/Sirupsen/logrus"
     9  	"github.com/docker/docker/container"
    10  	"github.com/docker/docker/profiles/seccomp"
    11  	"github.com/opencontainers/specs/specs-go"
    12  )
    13  
    14  func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
    15  	var profile *specs.Seccomp
    16  	var err error
    17  
    18  	if c.HostConfig.Privileged {
    19  		return nil
    20  	}
    21  
    22  	if !daemon.seccompEnabled {
    23  		if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
    24  			return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
    25  		}
    26  		logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
    27  		c.SeccompProfile = "unconfined"
    28  	}
    29  	if c.SeccompProfile == "unconfined" {
    30  		return nil
    31  	}
    32  	if c.SeccompProfile != "" {
    33  		profile, err = seccomp.LoadProfile(c.SeccompProfile)
    34  		if err != nil {
    35  			return err
    36  		}
    37  	} else {
    38  		profile, err = seccomp.GetDefaultProfile()
    39  		if err != nil {
    40  			return err
    41  		}
    42  	}
    43  
    44  	rs.Linux.Seccomp = profile
    45  	return nil
    46  }