docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20428 from jfrazelle/generate-conversion 

generate seccomp profile convert type
This commit is contained in:
Brian Goff 2016-02-26 10:28:23 -05:00
parent 9792308b84 11435b674b
commit c47674efda
8 changed files with 981 additions and 962 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
daemon/execdriver/native/create.go
View File

@ -72,7 +72,10 @@ func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks)
} }
if c.SeccompProfile == "" { if c.SeccompProfile == "" {
container.Seccomp = seccomp.GetDefaultProfile() container.Seccomp, err = seccomp.GetDefaultProfile()
if err != nil {
return nil, err
}
} }
} }
// add CAP_ prefix to all caps for new libcontainer update to match // add CAP_ prefix to all caps for new libcontainer update to match

10
integration-cli/docker_cli_run_unix_test.go
View File

@ -909,3 +909,13 @@ func (s *DockerSuite) TestRunApparmorProcDirectory(c *check.C) {
c.Fatalf("expected chmod 777 /proc/1/attr/current to fail, got %s: %v", out, err) c.Fatalf("expected chmod 777 /proc/1/attr/current to fail, got %s: %v", out, err)
} }
} }
// make sure the default profile can be successfully parsed (using unshare as it is
// something which we know is blocked in the default profile)
func (s *DockerSuite) TestRunSeccompWithDefaultProfile(c *check.C) {
testRequires(c, SameHostDaemon, seccompEnabled)
out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp:../profiles/seccomp/default.json", "debian:jessie", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")
c.Assert(err, checker.NotNil, check.Commentf(out))
c.Assert(strings.TrimSpace(out), checker.Equals, "unshare: unshare failed: Operation not permitted")
}

632
profiles/seccomp/default.json
View File

File diff suppressed because it is too large Load Diff

5
profiles/seccomp/generate.go
View File

@ -20,11 +20,8 @@ func main() {
} }
f := filepath.Join(wd, "default.json") f := filepath.Join(wd, "default.json")
// get the default profile
p := seccomp.GetDefaultProfile()
// write the default profile to the file // write the default profile to the file
b, err := json.MarshalIndent(p, "", "\t") b, err := json.MarshalIndent(seccomp.DefaultProfile, "", "\t")
if err != nil { if err != nil {
panic(err) panic(err)
} }

4
profiles/seccomp/seccomp.go
View File

@ -14,8 +14,8 @@ import (
//go:generate go run -tags 'seccomp' generate.go //go:generate go run -tags 'seccomp' generate.go
// GetDefaultProfile returns the default seccomp profile. // GetDefaultProfile returns the default seccomp profile.
func GetDefaultProfile() *configs.Seccomp { func GetDefaultProfile() (*configs.Seccomp, error) {
return defaultProfile return setupSeccomp(DefaultProfile)
} }
// LoadProfile takes a file path a decodes the seccomp profile. // LoadProfile takes a file path a decodes the seccomp profile.

1270
profiles/seccomp/seccomp_default.go
View File

File diff suppressed because it is too large Load Diff

11
profiles/seccomp/seccomp_test.go
View File

@ -12,7 +12,16 @@ func TestLoadProfile(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
if _, err := LoadProfile(string(f)); err != nil {
t.Fatal(err)
}
}
func TestLoadDefaultProfile(t *testing.T) {
f, err := ioutil.ReadFile("default.json")
if err != nil {
t.Fatal(err)
}
if _, err := LoadProfile(string(f)); err != nil { if _, err := LoadProfile(string(f)); err != nil {
t.Fatal(err) t.Fatal(err)
} }

6
profiles/seccomp/seccomp_unsupported.go
View File

@ -2,9 +2,9 @@
package seccomp package seccomp
import "github.com/opencontainers/runc/libcontainer/configs" import "github.com/docker/engine-api/types"
var ( var (
// defaultProfile is a nil pointer on unsupported systems. // DefaultProfile is a nil pointer on unsupported systems.
defaultProfile *configs.Seccomp DefaultProfile *types.Seccomp
) )