github.com/vvnotw/moby@v1.13.1/daemon/seccomp_linux.go

github.com/vvnotw/moby@v1.13.1/daemon/seccomp_linux.go (about)

     1  // +build linux,seccomp
     2  
     3  package daemon
     4  
     5  import (
     6  	"fmt"
     7  
     8  	"github.com/Sirupsen/logrus"
     9  	"github.com/docker/docker/container"
    10  	"github.com/docker/docker/profiles/seccomp"
    11  	"github.com/opencontainers/runtime-spec/specs-go"
    12  )
    13  
    14  var supportsSeccomp = true
    15  
    16  func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
    17  	var profile *specs.Seccomp
    18  	var err error
    19  
    20  	if c.HostConfig.Privileged {
    21  		return nil
    22  	}
    23  
    24  	if !daemon.seccompEnabled {
    25  		if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
    26  			return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
    27  		}
    28  		logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
    29  		c.SeccompProfile = "unconfined"
    30  	}
    31  	if c.SeccompProfile == "unconfined" {
    32  		return nil
    33  	}
    34  	if c.SeccompProfile != "" {
    35  		profile, err = seccomp.LoadProfile(c.SeccompProfile, rs)
    36  		if err != nil {
    37  			return err
    38  		}
    39  	} else {
    40  		if daemon.seccompProfile != nil {
    41  			profile, err = seccomp.LoadProfile(string(daemon.seccompProfile), rs)
    42  			if err != nil {
    43  				return err
    44  			}
    45  		} else {
    46  			profile, err = seccomp.GetDefaultProfile(rs)
    47  			if err != nil {
    48  				return err
    49  			}
    50  		}
    51  	}
    52  
    53  	rs.Linux.Seccomp = profile
    54  	return nil
    55  }