Remove "seccomp" build tag

Similar to the (now removed) `apparmor` build tag, this build-time toggle existed for users who needed to build without the `libseccomp` library. That's no longer necessary, and given the importance of seccomp to the overall default security profile of Docker containers, it makes sense that any binary built for Linux should support (and use by default) seccomp if the underlying host does. Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
moby · May 12, 2022 · c9e19a2 · c9e19a2
1 parent 888c618
commit c9e19a2
Show file tree

Hide file tree

Showing 11 changed files with 5 additions and 74 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -5,7 +5,6 @@ ARG SYSTEMD="false"
 ARG GO_VERSION=1.18.2
 ARG DEBIAN_FRONTEND=noninteractive
 ARG VPNKIT_VERSION=0.5.0
-ARG DOCKER_BUILDTAGS="apparmor seccomp"
 
 ARG BASE_DEBIAN_DISTRO="bullseye"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"

diff --git a/daemon/seccomp_disabled.go b/daemon/seccomp_disabled.go
diff --git a/daemon/seccomp_linux.go b/daemon/seccomp_linux.go
@@ -1,6 +1,3 @@
-//go:build linux && seccomp
-// +build linux,seccomp
-
 package daemon // import "github.com/docker/docker/daemon"
 
 import (

diff --git a/daemon/seccomp_linux_test.go b/daemon/seccomp_linux_test.go
@@ -1,6 +1,3 @@
-//go:build linux && seccomp
-// +build linux,seccomp
-
 package daemon // import "github.com/docker/docker/daemon"
 
 import (

diff --git a/hack/test/unit b/hack/test/unit
@@ -12,7 +12,7 @@
 #
 set -eux -o pipefail
 
-BUILDFLAGS=(-tags 'netgo seccomp libdm_no_deferred_remove')
+BUILDFLAGS=(-tags 'netgo libdm_no_deferred_remove')
 TESTFLAGS+=" -test.timeout=${TIMEOUT:-5m}"
 TESTDIRS="${TESTDIRS:-./...}"
 exclude_paths='/vendor/|/integration'

diff --git a/integration-cli/requirements_unix_test.go b/integration-cli/requirements_unix_test.go
@@ -62,7 +62,7 @@ func cgroupCpuset() bool {
 }
 
 func seccompEnabled() bool {
-	return supportsSeccomp && SysInfo.Seccomp
+	return SysInfo.Seccomp
 }
 
 func bridgeNfIptables() bool {

diff --git a/integration-cli/test_vars_noseccomp_test.go b/integration-cli/test_vars_noseccomp_test.go
diff --git a/integration-cli/test_vars_seccomp_test.go b/integration-cli/test_vars_seccomp_test.go
diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
@@ -1,6 +1,3 @@
-//go:build seccomp
-// +build seccomp
-
 package seccomp // import "github.com/docker/docker/profiles/seccomp"
 
 import (

diff --git a/profiles/seccomp/seccomp_unsupported.go b/profiles/seccomp/seccomp_unsupported.go
diff --git a/project/PACKAGERS.md b/project/PACKAGERS.md
@@ -81,14 +81,8 @@ Please use our build script ("./hack/make.sh") for compilation.
 
 ### `DOCKER_BUILDTAGS`
 
-If you're building a binary that might be used on platforms that include
-seccomp, you will need to use the `seccomp` build tag:
-```bash
-export DOCKER_BUILDTAGS='seccomp'
-```
-
-There are build tags for disabling graphdrivers as well. By default, support
-for all graphdrivers are built in.
+There are build tags for disabling graphdrivers, if necessary. By default,
+support for all graphdrivers are built in.
 
 To disable btrfs:
 ```bash
@@ -107,7 +101,7 @@ export DOCKER_BUILDTAGS='exclude_graphdriver_aufs'
 
 NOTE: if you need to set more than one build tag, space separate them:
 ```bash
-export DOCKER_BUILDTAGS='apparmor exclude_graphdriver_aufs'
+export DOCKER_BUILDTAGS='exclude_graphdriver_aufs exclude_graphdriver_btrfs'
 ```
 
 ## System Dependencies