Merge pull request #10155 from pablofsf/fix-default-seccomp

openshift-merge-robot · web-flow · commit db67fedcbd1f · 2021-04-28T15:40:30.000-04:00
Use seccomp_profile as default profile if defined in containers.conf
diff --git a/libpod/define/info.go b/libpod/define/info.go
@@ -17,6 +17,7 @@ type SecurityInfo struct {
 	DefaultCapabilities string `json:"capabilities"`
 	Rootless            bool   `json:"rootless"`
 	SECCOMPEnabled      bool   `json:"seccompEnabled"`
+	SECCOMPProfilePath  string `json:"seccompProfilePath"`
 	SELinuxEnabled      bool   `json:"selinuxEnabled"`
 }
 
diff --git a/libpod/info.go b/libpod/info.go
@@ -87,6 +87,12 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) {
 	if err != nil {
 		return nil, errors.Wrapf(err, "error getting hostname")
 	}
+
+	seccompProfilePath, err := DefaultSeccompPath()
+	if err != nil {
+		return nil, errors.Wrapf(err, "error getting Seccomp profile path")
+	}
+
 	info := define.HostInfo{
 		Arch:           runtime.GOARCH,
 		BuildahVersion: buildah.Version,
@@ -106,6 +112,7 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) {
 			DefaultCapabilities: strings.Join(r.config.Containers.DefaultCapabilities, ","),
 			Rootless:            rootless.IsRootless(),
 			SECCOMPEnabled:      seccomp.IsEnabled(),
+			SECCOMPProfilePath:  seccompProfilePath,
 			SELinuxEnabled:      selinux.GetEnabled(),
 		},
 		Slirp4NetNS: define.SlirpInfo{},
diff --git a/libpod/util.go b/libpod/util.go
@@ -194,7 +194,15 @@ func programVersion(mountProgram string) (string, error) {
 // if it exists, first it checks OverrideSeccomp and then default.
 // If neither exist function returns ""
 func DefaultSeccompPath() (string, error) {
-	_, err := os.Stat(config.SeccompOverridePath)
+	def, err := config.Default()
+	if err != nil {
+		return "", err
+	}
+	if def.Containers.SeccompProfile != "" {
+		return def.Containers.SeccompProfile, nil
+	}
+
+	_, err = os.Stat(config.SeccompOverridePath)
 	if err == nil {
 		return config.SeccompOverridePath, nil
 	}
diff --git a/test/e2e/containers_conf_test.go b/test/e2e/containers_conf_test.go
@@ -353,4 +353,23 @@ var _ = Describe("Podman run", func() {
 		Expect(session.ExitCode()).To(Equal(0))
 		Expect(session.OutputToString()).To(ContainSubstring("test"))
 	})
+
+	It("podman info seccomp profile path", func() {
+		configPath := filepath.Join(podmanTest.TempDir, "containers.conf")
+		os.Setenv("CONTAINERS_CONF", configPath)
+
+		profile := filepath.Join(podmanTest.TempDir, "seccomp.json")
+		containersConf := []byte(fmt.Sprintf("[containers]\nseccomp_profile=\"%s\"", profile))
+		err = ioutil.WriteFile(configPath, containersConf, os.ModePerm)
+		Expect(err).To(BeNil())
+
+		if IsRemote() {
+			podmanTest.RestartRemoteService()
+		}
+
+		session := podmanTest.Podman([]string{"info", "--format", "{{.Host.Security.SECCOMPProfilePath}}"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(Equal(profile))
+	})
 })

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ type SecurityInfo struct {`
`17`	`17`	DefaultCapabilities string `json:"capabilities"`
`18`	`18`	Rootless bool `json:"rootless"`
`19`	`19`	SECCOMPEnabled bool `json:"seccompEnabled"`
	`20`	+ SECCOMPProfilePath string `json:"seccompProfilePath"`
`20`	`21`	SELinuxEnabled bool `json:"selinuxEnabled"`
`21`	`22`	`}`
`22`	`23`