func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error { var profile *specs.Seccomp var err error if c.HostConfig.Privileged { return nil } if !daemon.seccompEnabled { if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" { return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.") } logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.") c.SeccompProfile = "unconfined" } if c.SeccompProfile == "unconfined" { return nil } if c.SeccompProfile != "" { profile, err = seccomp.LoadProfile(c.SeccompProfile, rs) if err != nil { return err } } else { profile, err = seccomp.GetDefaultProfile(rs) if err != nil { return err } } rs.Linux.Seccomp = profile return nil }
// saves the default seccomp profile as a json file so people can use it as a // base for their own custom profiles func main() { wd, err := os.Getwd() if err != nil { panic(err) } f := filepath.Join(wd, "default.json") // get the default profile p := seccomp.GetDefaultProfile() // write the default profile to the file b, err := json.MarshalIndent(p, "", "\t") if err != nil { panic(err) } if err := ioutil.WriteFile(f, b, 0644); err != nil { panic(err) } }
// createContainer populates and configures the container type with the // data provided by the execdriver.Command func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks) (container *configs.Config, err error) { container = execdriver.InitContainer(c) if err := d.createIpc(container, c); err != nil { return nil, err } if err := d.createPid(container, c); err != nil { return nil, err } if err := d.createUTS(container, c); err != nil { return nil, err } if err := d.setupRemappedRoot(container, c); err != nil { return nil, err } if err := d.createNetwork(container, c, hooks); err != nil { return nil, err } if c.ProcessConfig.Privileged { if !container.Readonlyfs { // clear readonly for /sys for i := range container.Mounts { if container.Mounts[i].Destination == "/sys" { container.Mounts[i].Flags &= ^syscall.MS_RDONLY } } container.ReadonlyPaths = nil } // clear readonly for cgroup for i := range container.Mounts { if container.Mounts[i].Device == "cgroup" { container.Mounts[i].Flags &= ^syscall.MS_RDONLY } } container.MaskPaths = nil if err := d.setPrivileged(container); err != nil { return nil, err } } else { if err := d.setCapabilities(container, c); err != nil { return nil, err } if c.SeccompProfile == "" { container.Seccomp = seccomp.GetDefaultProfile() } } // add CAP_ prefix to all caps for new libcontainer update to match // the spec format. for i, s := range container.Capabilities { if !strings.HasPrefix(s, "CAP_") { container.Capabilities[i] = fmt.Sprintf("CAP_%s", s) } } container.AdditionalGroups = c.GroupAdd if c.AppArmorProfile != "" { container.AppArmorProfile = c.AppArmorProfile } if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" { container.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile) if err != nil { return nil, err } } if err := execdriver.SetupCgroups(container, c); err != nil { return nil, err } container.OomScoreAdj = c.OomScoreAdj if container.Readonlyfs { for i := range container.Mounts { switch container.Mounts[i].Destination { case "/proc", "/dev", "/dev/pts": continue } container.Mounts[i].Flags |= syscall.MS_RDONLY } /* These paths must be remounted as r/o */ container.ReadonlyPaths = append(container.ReadonlyPaths, "/dev") } if err := d.setupMounts(container, c); err != nil { return nil, err } d.setupLabels(container, c) d.setupRlimits(container, c) return container, nil }