Merge pull request #4806 from vrothberg/seccomp

policy for seccomp-profile selection

cmd/podman/common.go

@@ -538,6 +538,10 @@ func getCreateFlags(c *cliconfig.PodmanCommand) {
 		"workdir", "w", "",
 		"Working directory inside the container",
 	)
+	createFlags.String(
+		"seccomp-policy", "default",
+		"Policy for selecting a seccomp profile (experimental)",
+	)
 }
 
 func getFormat(c *cliconfig.PodmanCommand) (string, error) {

cmd/podman/shared/create.go

@@ -31,6 +31,10 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+// seccompAnnotationKey is the key of the image annotation embedding a seccomp
+// profile.
+const seccompAnnotationKey = "io.containers.seccomp.profile"
+
 func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.Runtime) (*libpod.Container, *cc.CreateConfig, error) {
 	var (
 		healthCheck *manifest.Schema2HealthConfig
@@ -67,7 +71,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 	}
 
 	imageName := ""
-	var data *inspect.ImageData = nil
+	var imageData *inspect.ImageData = nil
 
 	// Set the storage if there is no rootfs specified
 	if rootfs == "" {
@@ -99,17 +103,17 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		if err != nil {
 			return nil, nil, err
 		}
-		data, err = newImage.Inspect(ctx)
+		imageData, err = newImage.Inspect(ctx)
 		if err != nil {
 			return nil, nil, err
 		}
 
-		if overrideOS == "" && data.Os != goruntime.GOOS {
-			return nil, nil, errors.Errorf("incompatible image OS %q on %q host", data.Os, goruntime.GOOS)
+		if overrideOS == "" && imageData.Os != goruntime.GOOS {
+			return nil, nil, errors.Errorf("incompatible image OS %q on %q host", imageData.Os, goruntime.GOOS)
 		}
 
-		if overrideArch == "" && data.Architecture != goruntime.GOARCH {
-			return nil, nil, errors.Errorf("incompatible image architecture %q on %q host", data.Architecture, goruntime.GOARCH)
+		if overrideArch == "" && imageData.Architecture != goruntime.GOARCH {
+			return nil, nil, errors.Errorf("incompatible image architecture %q on %q host", imageData.Architecture, goruntime.GOARCH)
 		}
 
 		names := newImage.Names()
@@ -171,7 +175,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		}
 	}
 
-	createConfig, err := ParseCreateOpts(ctx, c, runtime, imageName, data)
+	createConfig, err := ParseCreateOpts(ctx, c, runtime, imageName, imageData)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -712,6 +716,18 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		return nil, err
 	}
 
+	// SECCOMP
+	if data != nil {
+		if value, exists := data.Annotations[seccompAnnotationKey]; exists {
+			secConfig.SeccompProfileFromImage = value
+		}
+	}
+	if policy, err := cc.LookupSeccompPolicy(c.String("seccomp-policy")); err != nil {
+		return nil, err
+	} else {
+		secConfig.SeccompPolicy = policy
+	}
+
 	config := &cc.CreateConfig{
 		Annotations:       annotations,
 		BuiltinImgVolumes: ImageVolumes,

cmd/podman/shared/intermediate.go

@@ -463,6 +463,7 @@ func NewIntermediateLayer(c *cliconfig.PodmanCommand, remote bool) GenericCLIRes
 	m["volume"] = newCRStringArray(c, "volume")
 	m["volumes-from"] = newCRStringSlice(c, "volumes-from")
 	m["workdir"] = newCRString(c, "workdir")
+	m["seccomp-policy"] = newCRString(c, "seccomp-policy")
 	// global flag
 	if !remote {
 		m["authfile"] = newCRString(c, "authfile")