vendor for new seccomp helpers

Signed-off-by: Mike Brown <brownwm@us.ibm.com>

pkg/server/container_create.go

@@ -26,7 +26,7 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/contrib/apparmor"
 	"github.com/containerd/containerd/contrib/seccomp"
-	"github.com/containerd/containerd/typeurl"
+	"github.com/containerd/typeurl"
 	"github.com/docker/docker/pkg/mount"
 	"github.com/golang/glog"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -51,14 +51,14 @@ const (
 	profileNamePrefix = "localhost/" // TODO (mikebrow): get localhost/ & runtime/default from CRI kubernetes/kubernetes#51747
 	// runtimeDefault indicates that we should use or create a runtime default profile.
 	runtimeDefault = "runtime/default"
-	// runtimeDefault indicates that we should use or create a docker default profile.
+	// dockerDefault indicates that we should use or create a docker default profile.
 	dockerDefault = "docker/default"
 	// appArmorDefaultProfileName is name to use when creating a default apparmor profile.
 	appArmorDefaultProfileName = "cri-containerd.apparmor.d"
 	// unconfinedProfile is a string indicating one should run a pod/containerd without a security profile
 	unconfinedProfile = "unconfined"
-	// seccompDefaultPodProfile is the default seccomp profile for pods.
-	seccompDefaultSandboxProfile = unconfinedProfile
+	// seccompDefaultSandboxProfile is the default seccomp profile for pods.
+	seccompDefaultSandboxProfile = dockerDefault
 	// seccompDefaultContainerProfile is the default seccomp profile for containers.
 	seccompDefaultContainerProfile = dockerDefault
 	// seccompEnabled is a flag for globally enabling/disabling seccomp profiles for containers.

pkg/server/events.go

@@ -20,7 +20,7 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/api/services/events/v1"
 	"github.com/containerd/containerd/errdefs"
-	"github.com/containerd/containerd/typeurl"
+	"github.com/containerd/typeurl"
 	"github.com/golang/glog"
 	"golang.org/x/net/context"
 

pkg/server/restart.go

@@ -26,7 +26,7 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/errdefs"
-	"github.com/containerd/containerd/typeurl"
+	"github.com/containerd/typeurl"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/pkg/system"
 	"github.com/golang/glog"

pkg/server/sandbox_run.go

@@ -23,7 +23,7 @@ import (
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/contrib/seccomp"
-	"github.com/containerd/containerd/typeurl"
+	"github.com/containerd/typeurl"
 	"github.com/cri-o/ocicni/pkg/ocicni"
 	"github.com/golang/glog"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -132,9 +132,11 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
 	// Set seccomp profile
 	seccompProf := config.GetLinux().GetSecurityContext().GetSeccompProfilePath()
 	if seccompProf == runtimeDefault || seccompProf == dockerDefault {
-		// use correct default profile (Eg. if not configured otherwise, the default is unconfined for pods)
+		// use correct default profile (Eg. if not configured otherwise, the default is docker/default for pods)
 		seccompProf = seccompDefaultSandboxProfile
 	}
+
+	// TODO (mikebrow): consider a fuction for the logic used in sandbox and container for secccomp
 	// Unset the seccomp profile, if seccomp is not enabled, unconfined, unset, or the security context is privileged
 	if !seccompEnabled ||
 		seccompProf == unconfinedProfile ||

pkg/server/sandbox_run_test.go

@@ -20,7 +20,7 @@ import (
 	"os"
 	"testing"
 
-	"github.com/containerd/containerd/typeurl"
+	"github.com/containerd/typeurl"
 	"github.com/cri-o/ocicni/pkg/ocicni"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"