Skip to content

Commit ee02257

Browse files
thaJeztahthaJeztah
committed
Add const for "unconfined" and default seccomp profiles
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
1 parent 5e498e2 commit ee02257

File tree

6 files changed

+16
-6
lines changed

6 files changed

+16
-6
lines changed

daemon/config/config.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,12 @@ const (
5858
LinuxV1RuntimeName = "io.containerd.runtime.v1.linux"
5959
// LinuxV2RuntimeName is the runtime used to specify the containerd v2 runc shim
6060
LinuxV2RuntimeName = "io.containerd.runc.v2"
61+
62+
// SeccompProfileDefault is the built-in default seccomp profile.
63+
SeccompProfileDefault = "default"
64+
// SeccompProfileUnconfined is a special profile name for seccomp to use an
65+
// "unconfined" seccomp profile.
66+
SeccompProfileUnconfined = "unconfined"
6167
)
6268

6369
var builtinRuntimes = map[string]bool{

daemon/info.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,7 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf
174174
if sysInfo.Seccomp && supportsSeccomp {
175175
profile := daemon.seccompProfilePath
176176
if profile == "" {
177-
profile = "default"
177+
profile = config.SeccompProfileDefault
178178
}
179179
securityOptions = append(securityOptions, fmt.Sprintf("name=seccomp,profile=%s", profile))
180180
}

daemon/seccomp_disabled.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,14 +9,15 @@ import (
99
"github.com/containerd/containerd/containers"
1010
coci "github.com/containerd/containerd/oci"
1111
"github.com/docker/docker/container"
12+
dconfig "github.com/docker/docker/daemon/config"
1213
)
1314

1415
const supportsSeccomp = false
1516

1617
// WithSeccomp sets the seccomp profile
1718
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
1819
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
19-
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
20+
if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileUnconfined {
2021
return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile")
2122
}
2223
return nil

daemon/seccomp_linux.go

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99
"github.com/containerd/containerd/containers"
1010
coci "github.com/containerd/containerd/oci"
1111
"github.com/docker/docker/container"
12+
dconfig "github.com/docker/docker/daemon/config"
1213
"github.com/docker/docker/profiles/seccomp"
1314
"github.com/sirupsen/logrus"
1415
)
@@ -18,7 +19,7 @@ const supportsSeccomp = true
1819
// WithSeccomp sets the seccomp profile
1920
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
2021
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
21-
if c.SeccompProfile == "unconfined" {
22+
if c.SeccompProfile == dconfig.SeccompProfileUnconfined {
2223
return nil
2324
}
2425
if c.HostConfig.Privileged {
@@ -29,7 +30,7 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
2930
return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")
3031
}
3132
logrus.Warn("seccomp is not enabled in your kernel, running container without default profile")
32-
c.SeccompProfile = "unconfined"
33+
c.SeccompProfile = dconfig.SeccompProfileUnconfined
3334
return nil
3435
}
3536
var err error

daemon/seccomp_linux_test.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import (
88
coci "github.com/containerd/containerd/oci"
99
config "github.com/docker/docker/api/types/container"
1010
"github.com/docker/docker/container"
11+
dconfig "github.com/docker/docker/daemon/config"
1112
doci "github.com/docker/docker/oci"
1213
"github.com/docker/docker/profiles/seccomp"
1314
specs "github.com/opencontainers/runtime-spec/specs-go"
@@ -32,7 +33,7 @@ func TestWithSeccomp(t *testing.T) {
3233
seccompEnabled: true,
3334
},
3435
c: &container.Container{
35-
SeccompProfile: "unconfined",
36+
SeccompProfile: dconfig.SeccompProfileUnconfined,
3637
HostConfig: &config.HostConfig{
3738
Privileged: false,
3839
},

integration-cli/docker_cli_info_unix_test.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import (
77
"testing"
88

99
"github.com/docker/docker/client"
10+
"github.com/docker/docker/daemon/config"
1011
"gotest.tools/v3/assert"
1112
is "gotest.tools/v3/assert/cmp"
1213
)
@@ -27,6 +28,6 @@ func (s *DockerSuite) TestInfoSecurityOptions(c *testing.T) {
2728
assert.Check(c, is.Contains(info.SecurityOptions, "name=apparmor"))
2829
}
2930
if seccompEnabled() {
30-
assert.Check(c, is.Contains(info.SecurityOptions, "name=seccomp,profile=default"))
31+
assert.Check(c, is.Contains(info.SecurityOptions, "name=seccomp,profile="+config.SeccompProfileDefault))
3132
}
3233
}

0 commit comments

Comments
 (0)