Merge pull request #4754 from thaJeztah/fix_seccomp_defaults

cli/command/container: parseSecurityOpts: fix --security-opt seccomp=builtin
This commit is contained in:
Sebastiaan van Stijn 2024-01-05 14:30:33 +01:00 committed by GitHub
commit b36c16d38d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 42 additions and 20 deletions

View File

@ -28,6 +28,20 @@ import (
cdi "tags.cncf.io/container-device-interface/pkg/parser" cdi "tags.cncf.io/container-device-interface/pkg/parser"
) )
const (
// TODO(thaJeztah): define these in the API-types, or query available defaults
// from the daemon, or require "local" profiles to be an absolute path or
// relative paths starting with "./". The daemon-config has consts for this
// but we don't want to import that package:
// https://github.com/moby/moby/blob/v23.0.0/daemon/config/config.go#L63-L67
// seccompProfileDefault is the built-in default seccomp profile.
seccompProfileDefault = "builtin"
// seccompProfileUnconfined is a special profile name for seccomp to use an
// "unconfined" seccomp profile.
seccompProfileUnconfined = "unconfined"
)
var deviceCgroupRuleRegexp = regexp.MustCompile(`^[acb] ([0-9]+|\*):([0-9]+|\*) [rwm]{1,3}$`) var deviceCgroupRuleRegexp = regexp.MustCompile(`^[acb] ([0-9]+|\*):([0-9]+|\*) [rwm]{1,3}$`)
// containerOptions is a data object with all the options for creating a container // containerOptions is a data object with all the options for creating a container
@ -914,7 +928,13 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) {
// "no-new-privileges" is the only option that does not require a value. // "no-new-privileges" is the only option that does not require a value.
return securityOpts, errors.Errorf("Invalid --security-opt: %q", opt) return securityOpts, errors.Errorf("Invalid --security-opt: %q", opt)
} }
if k == "seccomp" && v != "unconfined" { if k == "seccomp" {
switch v {
case seccompProfileDefault, seccompProfileUnconfined:
// known special names for built-in profiles, nothing to do.
default:
// value may be a filename, in which case we send the profile's
// content if it's valid JSON.
f, err := os.ReadFile(v) f, err := os.ReadFile(v)
if err != nil { if err != nil {
return securityOpts, errors.Errorf("opening seccomp profile (%s) failed: %v", v, err) return securityOpts, errors.Errorf("opening seccomp profile (%s) failed: %v", v, err)
@ -926,6 +946,7 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) {
securityOpts[key] = fmt.Sprintf("seccomp=%s", b.Bytes()) securityOpts[key] = fmt.Sprintf("seccomp=%s", b.Bytes())
} }
} }
}
return securityOpts, nil return securityOpts, nil
} }

View File

@ -1275,7 +1275,7 @@ in the image, or `SIGTERM` if the image has no `STOPSIGNAL` defined.
### <a name="security-opt"></a> Optional security options (--security-opt) ### <a name="security-opt"></a> Optional security options (--security-opt)
| Option | Description | | Option | Description |
|:------------------------------------------|:--------------------------------------------------------------------------| |:------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `--security-opt="label=user:USER"` | Set the label user for the container | | `--security-opt="label=user:USER"` | Set the label user for the container |
| `--security-opt="label=role:ROLE"` | Set the label role for the container | | `--security-opt="label=role:ROLE"` | Set the label role for the container |
| `--security-opt="label=type:TYPE"` | Set the label type for the container | | `--security-opt="label=type:TYPE"` | Set the label type for the container |
@ -1284,6 +1284,7 @@ in the image, or `SIGTERM` if the image has no `STOPSIGNAL` defined.
| `--security-opt="apparmor=PROFILE"` | Set the apparmor profile to be applied to the container | | `--security-opt="apparmor=PROFILE"` | Set the apparmor profile to be applied to the container |
| `--security-opt="no-new-privileges=true"` | Disable container processes from gaining new privileges | | `--security-opt="no-new-privileges=true"` | Disable container processes from gaining new privileges |
| `--security-opt="seccomp=unconfined"` | Turn off seccomp confinement for the container | | `--security-opt="seccomp=unconfined"` | Turn off seccomp confinement for the container |
| `--security-opt="seccomp=builtin"` | Use the default (built-in) seccomp profile for the container. This can be used to enable seccomp for a container running on a daemon with a custom default profile set, or with seccomp disabled ("unconfined"). |
| `--security-opt="seccomp=profile.json"` | White-listed syscalls seccomp Json file to be used as a seccomp filter | | `--security-opt="seccomp=profile.json"` | White-listed syscalls seccomp Json file to be used as a seccomp filter |
The `--security-opt` flag lets you override the default labeling scheme for a The `--security-opt` flag lets you override the default labeling scheme for a