github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

adds seccomp support

Browse Source 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
This commit is contained in:
Mike Brown
2017-09-06 08:09:27 -05:00
parent 2ac9262091
commit c0a2d152d9
2 changed files with 68 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
pkg/server/sandbox_run.go
View File

@@ -22,6 +22,7 @@ import (
"strings"
"github.com/containerd/containerd"
"github.com/containerd/containerd/contrib/seccomp"
"github.com/containerd/containerd/typeurl"
"github.com/cri-o/ocicni/pkg/ocicni"
"github.com/golang/glog"
@@ -127,6 +128,33 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
if uid := config.GetLinux().GetSecurityContext().GetRunAsUser(); uid != nil {
specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue())))
}
// Set seccomp profile
seccompProf := config.GetLinux().GetSecurityContext().GetSeccompProfilePath()
if seccompProf == runtimeDefault || seccompProf == dockerDefault {
// use correct default profile (Eg. if not configured otherwise, the default is unconfined for pods)
seccompProf = seccompDefaultSandboxProfile
}
// Unset the seccomp profile, if seccomp is not enabled, unconfined, unset, or the security context is privileged
if !seccompEnabled ||
seccompProf == unconfinedProfile ||
seccompProf == "" ||
config.GetLinux().GetSecurityContext().GetPrivileged() {
spec.Linux.Seccomp = nil
} else {
switch seccompProf {
case dockerDefault:
// Note: WithDefaultProfile specOpts must be added after capabilities
specOpts = append(specOpts, seccomp.WithDefaultProfile())
default:
// Require and Trim default profile name prefix
if !strings.HasPrefix(seccompProf, profileNamePrefix) {
return nil, fmt.Errorf("invalid seccomp profile %q", seccompProf)
}
specOpts = append(specOpts, seccomp.WithProfile(strings.TrimPrefix(seccompProf, profileNamePrefix)))
}
}
opts := []containerd.NewContainerOpts{
containerd.WithSnapshotter(c.config.ContainerdSnapshotter),
containerd.WithNewSnapshot(id, image.Image),
@@ -288,8 +316,6 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
g.AddLinuxSysctl(key, value)
}
// TODO(random-liu): [P2] Set seccomp
// Note: LinuxSandboxSecurityContext does not currently provide an apparmor profile
g.SetLinuxResourcesCPUShares(uint64(defaultSandboxCPUshares))