github.com/wozhu6104/docker@v20.10.10+incompatible/daemon/seccomp_linux.go

github.com/wozhu6104/docker@v20.10.10+incompatible/daemon/seccomp_linux.go (about)

     1  // +build linux,seccomp
     2  
     3  package daemon // import "github.com/docker/docker/daemon"
     4  
     5  import (
     6  	"context"
     7  	"fmt"
     8  
     9  	"github.com/containerd/containerd/containers"
    10  	coci "github.com/containerd/containerd/oci"
    11  	"github.com/docker/docker/container"
    12  	"github.com/docker/docker/profiles/seccomp"
    13  	"github.com/sirupsen/logrus"
    14  )
    15  
    16  const supportsSeccomp = true
    17  
    18  // WithSeccomp sets the seccomp profile
    19  func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
    20  	return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
    21  		if c.SeccompProfile == "unconfined" {
    22  			return nil
    23  		}
    24  		if c.HostConfig.Privileged {
    25  			return nil
    26  		}
    27  		if !daemon.seccompEnabled {
    28  			if c.SeccompProfile != "" {
    29  				return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")
    30  			}
    31  			logrus.Warn("seccomp is not enabled in your kernel, running container without default profile")
    32  			c.SeccompProfile = "unconfined"
    33  			return nil
    34  		}
    35  		var err error
    36  		switch {
    37  		case c.SeccompProfile != "":
    38  			s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s)
    39  		case daemon.seccompProfile != nil:
    40  			s.Linux.Seccomp, err = seccomp.LoadProfile(string(daemon.seccompProfile), s)
    41  		default:
    42  			s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
    43  		}
    44  		return err
    45  	}
    46  }