11
"github.com/containers/common/libimage"
12
goSeccomp "github.com/containers/common/pkg/seccomp"
13
"github.com/containers/podman/v5/pkg/seccomp"
14
"github.com/containers/podman/v5/pkg/specgen"
15
spec "github.com/opencontainers/runtime-spec/specs-go"
16
"github.com/sirupsen/logrus"
19
func getSeccompConfig(s *specgen.SpecGenerator, configSpec *spec.Spec, img *libimage.Image) (*spec.LinuxSeccomp, error) {
20
var seccompConfig *spec.LinuxSeccomp
22
scp, err := seccomp.LookupPolicy(s.SeccompPolicy)
27
if scp == seccomp.PolicyImage {
29
return nil, errors.New("cannot read seccomp profile without a valid image")
31
labels, err := img.Labels(context.Background())
35
imagePolicy := labels[seccomp.ContainerImageLabel]
36
if len(imagePolicy) < 1 {
37
return nil, errors.New("no seccomp policy defined by image")
39
logrus.Debug("Loading seccomp profile from the security config")
40
seccompConfig, err = goSeccomp.LoadProfile(imagePolicy, configSpec)
42
return nil, fmt.Errorf("loading seccomp profile failed: %w", err)
44
return seccompConfig, nil
47
if s.SeccompProfilePath != "" {
48
logrus.Debugf("Loading seccomp profile from %q", s.SeccompProfilePath)
49
seccompProfile, err := os.ReadFile(s.SeccompProfilePath)
51
return nil, fmt.Errorf("opening seccomp profile failed: %w", err)
53
seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec)
55
return nil, fmt.Errorf("loading seccomp profile (%s) failed: %w", s.SeccompProfilePath, err)
58
logrus.Debug("Loading default seccomp profile")
59
seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec)
61
return nil, fmt.Errorf("loading seccomp profile (%s) failed: %w", s.SeccompProfilePath, err)
65
return seccompConfig, nil