quadlet: Add support for setting seccomp profile

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2022-10-20 10:41:24 +02:00 · 2022-10-20 10:41:24 +02:00 · f6f65f49db
parent a9f0957c24
commit f6f65f49db
4 changed files with 19 additions and 0 deletions
--- a/docs/source/markdown/podman-systemd.unit.5.md
+++ b/docs/source/markdown/podman-systemd.unit.5.md
@ -154,6 +154,11 @@ If enabled, makes image read-only, with /var/tmp, /tmp and /run a tmpfs (unless

 **NOTE:** Podman will automatically copy any content from the image onto the tmpfs

+#### `SeccompProfile=`
+
+Set the seccomp profile to use in the container. If unset, the default podman profile is used.
+Set to either the pathname of a json file, or `unconfined` to disable the seccomp filters.
+
 #### `RemapUsers=` (defaults to `no`)

 If this is enabled, then host user and group ids are remapped in the container, such that all the uids
--- a/pkg/systemd/quadlet/quadlet.go
+++ b/pkg/systemd/quadlet/quadlet.go
@ -70,6 +70,7 @@ const (
 	KeyRunInit         = "RunInit"
 	KeyVolatileTmp     = "VolatileTmp"
 	KeyTimezone        = "Timezone"
+	KeySeccompProfile  = "SeccompProfile"
 )

 // Supported keys in "Container" group
@ -102,6 +103,7 @@ var supportedContainerKeys = map[string]bool{
 	KeyRunInit:         true,
 	KeyVolatileTmp:     true,
 	KeyTimezone:        true,
+	KeySeccompProfile:  true,
 }

 // Supported keys in "Volume" group
@ -394,6 +396,12 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
 		podman.add("--security-opt=no-new-privileges")
 	}

+	// Default to no higher level privileges or caps
+	seccompProfile, hasSeccompProfile := container.Lookup(ContainerGroup, KeySeccompProfile)
+	if hasSeccompProfile {
+		podman.add("--security-opt", fmt.Sprintf("seccomp=%s", seccompProfile))
+	}
+
 	dropCaps := []string{"all"} // Default
 	if container.HasKey(ContainerGroup, KeyDropCapability) {
 		dropCaps = container.LookupAllStrv(ContainerGroup, KeyDropCapability)
--- a/test/e2e/quadlet/seccomp.container
+++ b/test/e2e/quadlet/seccomp.container
@ -0,0 +1,5 @@
+## assert-podman-args --security-opt seccomp=unconfined
+
+[Container]
+Image=localhost/imagename
+SeccompProfile=unconfined
--- a/test/e2e/quadlet_test.go
+++ b/test/e2e/quadlet_test.go
@ -288,6 +288,7 @@ var _ = Describe("quadlet system generator", func() {
 		Entry("readonly-notmpfs.container", "readonly-notmpfs.container"),
 		Entry("readwrite.container", "readwrite.container"),
 		Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container"),
+		Entry("seccomp.container", "seccomp.container"),
 		Entry("timezone.container", "timezone.container"),
 		Entry("user.container", "user.container"),
 		Entry("user-host.container", "user-host.container"),