github.com/wozhu6104/docker@v20.10.10+incompatible/daemon/seccomp_linux.go (about) 1 // +build linux,seccomp 2 3 package daemon // import "github.com/docker/docker/daemon" 4 5 import ( 6 "context" 7 "fmt" 8 9 "github.com/containerd/containerd/containers" 10 coci "github.com/containerd/containerd/oci" 11 "github.com/docker/docker/container" 12 "github.com/docker/docker/profiles/seccomp" 13 "github.com/sirupsen/logrus" 14 ) 15 16 const supportsSeccomp = true 17 18 // WithSeccomp sets the seccomp profile 19 func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts { 20 return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { 21 if c.SeccompProfile == "unconfined" { 22 return nil 23 } 24 if c.HostConfig.Privileged { 25 return nil 26 } 27 if !daemon.seccompEnabled { 28 if c.SeccompProfile != "" { 29 return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile") 30 } 31 logrus.Warn("seccomp is not enabled in your kernel, running container without default profile") 32 c.SeccompProfile = "unconfined" 33 return nil 34 } 35 var err error 36 switch { 37 case c.SeccompProfile != "": 38 s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s) 39 case daemon.seccompProfile != nil: 40 s.Linux.Seccomp, err = seccomp.LoadProfile(string(daemon.seccompProfile), s) 41 default: 42 s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s) 43 } 44 return err 45 } 46 }