From 1eae524df646c0f3f230c97a566854ccfedbb04a Mon Sep 17 00:00:00 2001 From: Shishir Mahajan Date: Wed, 2 Sep 2020 15:55:44 -0700 Subject: [PATCH] ctr: CLI Flag (seccomp-profile) for setting custom seccomp profile. Signed-off-by: Shishir Mahajan --- cmd/ctr/commands/commands.go | 4 ++++ cmd/ctr/commands/run/run_unix.go | 17 +++++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/cmd/ctr/commands/commands.go b/cmd/ctr/commands/commands.go index 9156b0b13..0d831f150 100644 --- a/cmd/ctr/commands/commands.go +++ b/cmd/ctr/commands/commands.go @@ -155,6 +155,10 @@ var ( Name: "seccomp", Usage: "enable the default seccomp profile", }, + cli.StringFlag{ + Name: "seccomp-profile", + Usage: "file path to custom seccomp profile. seccomp must be set to true, before using seccomp-profile", + }, } ) diff --git a/cmd/ctr/commands/run/run_unix.go b/cmd/ctr/commands/run/run_unix.go index 8ab81c4e0..07809f5cb 100644 --- a/cmd/ctr/commands/run/run_unix.go +++ b/cmd/ctr/commands/run/run_unix.go @@ -20,6 +20,7 @@ package run import ( gocontext "context" + "fmt" "path/filepath" "strconv" "strings" @@ -185,9 +186,21 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli if context.Bool("net-host") { opts = append(opts, oci.WithHostNamespace(specs.NetworkNamespace), oci.WithHostHostsFile, oci.WithHostResolvconf) } - if context.Bool("seccomp") { - opts = append(opts, seccomp.WithDefaultProfile()) + + seccompProfile := context.String("seccomp-profile") + + if !context.Bool("seccomp") && seccompProfile != "" { + return nil, fmt.Errorf("seccomp must be set to true, if using a custom seccomp-profile") } + + if context.Bool("seccomp") { + if seccompProfile != "" { + opts = append(opts, seccomp.WithProfile(seccompProfile)) + } else { + opts = append(opts, seccomp.WithDefaultProfile()) + } + } + if cpus := context.Float64("cpus"); cpus > 0.0 { var ( period = uint64(100000)