mirror of
https://github.com/containers/podman.git
synced 2025-11-04 17:07:20 +08:00
72f1617fac
Moving from Go module v4 to v5 prepares us for public releases. Move done using gomove [1] as with the v3 and v4 moves. [1] https://github.com/KSubedi/gomove Signed-off-by: Matt Heon <mheon@redhat.com>
67 lines
2.0 KiB
Go
67 lines
2.0 KiB
Go
//go:build linux && !remote
|
|
|
|
package generate
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
|
|
"github.com/containers/common/libimage"
|
|
goSeccomp "github.com/containers/common/pkg/seccomp"
|
|
"github.com/containers/podman/v5/pkg/seccomp"
|
|
"github.com/containers/podman/v5/pkg/specgen"
|
|
spec "github.com/opencontainers/runtime-spec/specs-go"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
func getSeccompConfig(s *specgen.SpecGenerator, configSpec *spec.Spec, img *libimage.Image) (*spec.LinuxSeccomp, error) {
|
|
var seccompConfig *spec.LinuxSeccomp
|
|
var err error
|
|
scp, err := seccomp.LookupPolicy(s.SeccompPolicy)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if scp == seccomp.PolicyImage {
|
|
if img == nil {
|
|
return nil, errors.New("cannot read seccomp profile without a valid image")
|
|
}
|
|
labels, err := img.Labels(context.Background())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
imagePolicy := labels[seccomp.ContainerImageLabel]
|
|
if len(imagePolicy) < 1 {
|
|
return nil, errors.New("no seccomp policy defined by image")
|
|
}
|
|
logrus.Debug("Loading seccomp profile from the security config")
|
|
seccompConfig, err = goSeccomp.LoadProfile(imagePolicy, configSpec)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("loading seccomp profile failed: %w", err)
|
|
}
|
|
return seccompConfig, nil
|
|
}
|
|
|
|
if s.SeccompProfilePath != "" {
|
|
logrus.Debugf("Loading seccomp profile from %q", s.SeccompProfilePath)
|
|
seccompProfile, err := os.ReadFile(s.SeccompProfilePath)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("opening seccomp profile failed: %w", err)
|
|
}
|
|
seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("loading seccomp profile (%s) failed: %w", s.SeccompProfilePath, err)
|
|
}
|
|
} else {
|
|
logrus.Debug("Loading default seccomp profile")
|
|
seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("loading seccomp profile (%s) failed: %w", s.SeccompProfilePath, err)
|
|
}
|
|
}
|
|
|
|
return seccompConfig, nil
|
|
}
|