f711cd5f01
This fix tries to address the issue raised in #24374 where `docker info` outputs seccomp support in Ubuntu 14.04 but the seccomp wass not actually supported. The issue is that in the current docker implementation, seccomp support is only checked against the kernel by inspect CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER. However, seccomp might not be enabled when building docker (through golang build flag). This fix adds a supportSeccomp boolean variable. The supportSeccomp is only set to true when seccomp is enabled when building docker. This fix fixes #24374. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> Upstream-commit: a3b9dd89a1b19e7f84617b91f3756ae816c11035 Component: engine
49 lines
1.0 KiB
Go
49 lines
1.0 KiB
Go
// +build linux,seccomp
|
|
|
|
package daemon
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/Sirupsen/logrus"
|
|
"github.com/docker/docker/container"
|
|
"github.com/docker/docker/profiles/seccomp"
|
|
"github.com/opencontainers/specs/specs-go"
|
|
)
|
|
|
|
var supportsSeccomp = true
|
|
|
|
func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
|
|
var profile *specs.Seccomp
|
|
var err error
|
|
|
|
if c.HostConfig.Privileged {
|
|
return nil
|
|
}
|
|
|
|
if !daemon.seccompEnabled {
|
|
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
|
|
return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
|
|
}
|
|
logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
|
|
c.SeccompProfile = "unconfined"
|
|
}
|
|
if c.SeccompProfile == "unconfined" {
|
|
return nil
|
|
}
|
|
if c.SeccompProfile != "" {
|
|
profile, err = seccomp.LoadProfile(c.SeccompProfile)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
} else {
|
|
profile, err = seccomp.GetDefaultProfile(rs)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
rs.Linux.Seccomp = profile
|
|
return nil
|
|
}
|