From f6f65f49db5cf702a90f3986123352e4f31d7c2a Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Thu, 20 Oct 2022 10:41:24 +0200 Subject: [PATCH] quadlet: Add support for setting seccomp profile Signed-off-by: Alexander Larsson --- docs/source/markdown/podman-systemd.unit.5.md | 5 +++++ pkg/systemd/quadlet/quadlet.go | 8 ++++++++ test/e2e/quadlet/seccomp.container | 5 +++++ test/e2e/quadlet_test.go | 1 + 4 files changed, 19 insertions(+) create mode 100644 test/e2e/quadlet/seccomp.container diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md index f45ac6a606..5d3cf47372 100644 --- a/docs/source/markdown/podman-systemd.unit.5.md +++ b/docs/source/markdown/podman-systemd.unit.5.md @@ -154,6 +154,11 @@ If enabled, makes image read-only, with /var/tmp, /tmp and /run a tmpfs (unless **NOTE:** Podman will automatically copy any content from the image onto the tmpfs +#### `SeccompProfile=` + +Set the seccomp profile to use in the container. If unset, the default podman profile is used. +Set to either the pathname of a json file, or `unconfined` to disable the seccomp filters. + #### `RemapUsers=` (defaults to `no`) If this is enabled, then host user and group ids are remapped in the container, such that all the uids diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go index 5c3c83c27d..4674bf15b1 100644 --- a/pkg/systemd/quadlet/quadlet.go +++ b/pkg/systemd/quadlet/quadlet.go @@ -70,6 +70,7 @@ const ( KeyRunInit = "RunInit" KeyVolatileTmp = "VolatileTmp" KeyTimezone = "Timezone" + KeySeccompProfile = "SeccompProfile" ) // Supported keys in "Container" group @@ -102,6 +103,7 @@ var supportedContainerKeys = map[string]bool{ KeyRunInit: true, KeyVolatileTmp: true, KeyTimezone: true, + KeySeccompProfile: true, } // Supported keys in "Volume" group @@ -394,6 +396,12 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile podman.add("--security-opt=no-new-privileges") } + // Default to no higher level privileges or caps + seccompProfile, hasSeccompProfile := container.Lookup(ContainerGroup, KeySeccompProfile) + if hasSeccompProfile { + podman.add("--security-opt", fmt.Sprintf("seccomp=%s", seccompProfile)) + } + dropCaps := []string{"all"} // Default if container.HasKey(ContainerGroup, KeyDropCapability) { dropCaps = container.LookupAllStrv(ContainerGroup, KeyDropCapability) diff --git a/test/e2e/quadlet/seccomp.container b/test/e2e/quadlet/seccomp.container new file mode 100644 index 0000000000..5bfddffa5f --- /dev/null +++ b/test/e2e/quadlet/seccomp.container @@ -0,0 +1,5 @@ +## assert-podman-args --security-opt seccomp=unconfined + +[Container] +Image=localhost/imagename +SeccompProfile=unconfined diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go index a5df0698a5..640aaf1c4b 100644 --- a/test/e2e/quadlet_test.go +++ b/test/e2e/quadlet_test.go @@ -288,6 +288,7 @@ var _ = Describe("quadlet system generator", func() { Entry("readonly-notmpfs.container", "readonly-notmpfs.container"), Entry("readwrite.container", "readwrite.container"), Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container"), + Entry("seccomp.container", "seccomp.container"), Entry("timezone.container", "timezone.container"), Entry("user.container", "user.container"), Entry("user-host.container", "user-host.container"),