containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

quadlet: Add support for setting seccomp profile 

Signed-off-by: Alexander Larsson <alexl@redhat.com>
This commit is contained in:
Alexander Larsson 2022-10-20 10:41:24 +02:00
parent a9f0957c24
commit f6f65f49db
4 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/source/markdown/podman-systemd.unit.5.md
View File

@ -154,6 +154,11 @@ If enabled, makes image read-only, with /var/tmp, /tmp and /run a tmpfs (unless
**NOTE:** Podman will automatically copy any content from the image onto the tmpfs **NOTE:** Podman will automatically copy any content from the image onto the tmpfs
#### `SeccompProfile=`
Set the seccomp profile to use in the container. If unset, the default podman profile is used.
Set to either the pathname of a json file, or `unconfined` to disable the seccomp filters.
#### `RemapUsers=` (defaults to `no`) #### `RemapUsers=` (defaults to `no`)
If this is enabled, then host user and group ids are remapped in the container, such that all the uids If this is enabled, then host user and group ids are remapped in the container, such that all the uids

8
pkg/systemd/quadlet/quadlet.go
View File

@ -70,6 +70,7 @@ const (
KeyRunInit = "RunInit" KeyRunInit = "RunInit"
KeyVolatileTmp = "VolatileTmp" KeyVolatileTmp = "VolatileTmp"
KeyTimezone = "Timezone" KeyTimezone = "Timezone"
KeySeccompProfile = "SeccompProfile"
) )
// Supported keys in "Container" group // Supported keys in "Container" group
@ -102,6 +103,7 @@ var supportedContainerKeys = map[string]bool{
KeyRunInit: true, KeyRunInit: true,
KeyVolatileTmp: true, KeyVolatileTmp: true,
KeyTimezone: true, KeyTimezone: true,
KeySeccompProfile: true,
} }
// Supported keys in "Volume" group // Supported keys in "Volume" group
@ -394,6 +396,12 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
podman.add("--security-opt=no-new-privileges") podman.add("--security-opt=no-new-privileges")
} }
// Default to no higher level privileges or caps
seccompProfile, hasSeccompProfile := container.Lookup(ContainerGroup, KeySeccompProfile)
if hasSeccompProfile {
podman.add("--security-opt", fmt.Sprintf("seccomp=%s", seccompProfile))
}
dropCaps := []string{"all"} // Default dropCaps := []string{"all"} // Default
if container.HasKey(ContainerGroup, KeyDropCapability) { if container.HasKey(ContainerGroup, KeyDropCapability) {
dropCaps = container.LookupAllStrv(ContainerGroup, KeyDropCapability) dropCaps = container.LookupAllStrv(ContainerGroup, KeyDropCapability)

5
test/e2e/quadlet/seccomp.container Normal file
View File

@ -0,0 +1,5 @@
## assert-podman-args --security-opt seccomp=unconfined
[Container]
Image=localhost/imagename
SeccompProfile=unconfined

1
test/e2e/quadlet_test.go
View File

@ -288,6 +288,7 @@ var _ = Describe("quadlet system generator", func() {
Entry("readonly-notmpfs.container", "readonly-notmpfs.container"), Entry("readonly-notmpfs.container", "readonly-notmpfs.container"),
Entry("readwrite.container", "readwrite.container"), Entry("readwrite.container", "readwrite.container"),
Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container"), Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container"),
Entry("seccomp.container", "seccomp.container"),
Entry("timezone.container", "timezone.container"), Entry("timezone.container", "timezone.container"),
Entry("user.container", "user.container"), Entry("user.container", "user.container"),
Entry("user-host.container", "user-host.container"), Entry("user-host.container", "user-host.container"),