Skip to content

Commit 8c55679

Browse files
authored
Merge pull request #6908 from jiwahn/parse-seccomp-profile
parse: honor containers.conf seccomp_profile
2 parents 9ce0fe1 + ff88fe7 commit 8c55679

2 files changed

Lines changed: 82 additions & 0 deletions

File tree

pkg/parse/parse.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -235,6 +235,7 @@ func CommonBuildOptionsFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name
235235
if err != nil {
236236
return nil, fmt.Errorf("failed to get container config: %w", err)
237237
}
238+
securityOpts = addSeccompFromConfig(securityOpts, defConfig.Containers.SeccompProfile)
238239
if defConfig.Containers.EnableLabeledUsers {
239240
defSecurityOpts, err := currentLabelOpts()
240241
if err != nil {
@@ -249,6 +250,21 @@ func CommonBuildOptionsFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name
249250
return commonOpts, nil
250251
}
251252

253+
// addSeccompFromConfig appends seccompProfile as a seccomp security option
254+
// when seccompProfile is non-default and securityOpts does not already contain
255+
// a seccomp option.
256+
func addSeccompFromConfig(securityOpts []string, seccompProfile string) []string {
257+
if seccompProfile == "" || seccompProfile == SeccompDefaultPath {
258+
return securityOpts
259+
}
260+
for _, opt := range securityOpts {
261+
if strings.HasPrefix(opt, "seccomp=") {
262+
return securityOpts
263+
}
264+
}
265+
return append(securityOpts, "seccomp="+seccompProfile)
266+
}
267+
252268
// GetAdditionalBuildContext consumes a raw string and returns a parsed
253269
// AdditionalBuildContext describing the build context.
254270
func GetAdditionalBuildContext(value string) (define.AdditionalBuildContext, error) {

pkg/parse/parse_test.go

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package parse //nolint:revive,nolintlint
33
import (
44
"fmt"
55
"os"
6+
"path/filepath"
67
"runtime"
78
"testing"
89

@@ -11,6 +12,7 @@ import (
1112
"github.com/stretchr/testify/assert"
1213
"github.com/stretchr/testify/require"
1314
"go.podman.io/buildah/define"
15+
"go.podman.io/common/pkg/config"
1416
"go.podman.io/image/v5/types"
1517
)
1618

@@ -29,6 +31,70 @@ func TestCommonBuildOptionsFromFlagSet(t *testing.T) {
2931
assert.Equal(t, cbo.Memory, int64(2147483648))
3032
}
3133

34+
func TestCommonBuildOptionsSeccompFromConfig(t *testing.T) {
35+
configPath := filepath.Join(t.TempDir(), "containers.conf")
36+
t.Setenv("CONTAINERS_CONF", configPath)
37+
t.Cleanup(func() {
38+
_, err := config.Reload()
39+
assert.NoError(t, err)
40+
})
41+
42+
defaultOptions := new(define.CommonBuildOptions)
43+
require.NoError(t, parseSecurityOpts(nil, defaultOptions))
44+
45+
tests := []struct {
46+
name string
47+
containersConf string
48+
securityOpts []string
49+
expectedProfile string
50+
}{
51+
{
52+
name: "configured unconfined",
53+
containersConf: "[containers]\nseccomp_profile = \"unconfined\"\n",
54+
expectedProfile: "unconfined",
55+
},
56+
{
57+
name: "command line overrides config",
58+
containersConf: "[containers]\nseccomp_profile = \"unconfined\"\n",
59+
securityOpts: []string{"seccomp=/tmp/custom-seccomp.json"},
60+
expectedProfile: "/tmp/custom-seccomp.json",
61+
},
62+
{
63+
name: "no configured profile",
64+
containersConf: "[containers]\n",
65+
expectedProfile: defaultOptions.SeccompProfilePath,
66+
},
67+
}
68+
69+
for _, test := range tests {
70+
t.Run(test.name, func(t *testing.T) {
71+
require.NoError(t, os.WriteFile(configPath, []byte(test.containersConf), 0o600))
72+
_, err := config.Reload()
73+
require.NoError(t, err)
74+
75+
fs := newCommonBuildOptionsFlagSet(t, test.securityOpts)
76+
commonOpts, err := CommonBuildOptionsFromFlagSet(fs, fs.Lookup)
77+
require.NoError(t, err)
78+
assert.Equal(t, test.expectedProfile, commonOpts.SeccompProfilePath)
79+
})
80+
}
81+
}
82+
83+
func newCommonBuildOptionsFlagSet(t *testing.T, securityOpts []string) *pflag.FlagSet {
84+
t.Helper()
85+
86+
fs := pflag.NewFlagSet("common-build-options", pflag.ContinueOnError)
87+
fs.String("cpuset-cpus", "", "")
88+
fs.String("cpuset-mems", "", "")
89+
fs.String("cgroup-parent", "", "")
90+
fs.String("shm-size", "65536k", "")
91+
fs.StringArray("security-opt", nil, "")
92+
for _, securityOpt := range securityOpts {
93+
require.NoError(t, fs.Set("security-opt", securityOpt))
94+
}
95+
return fs
96+
}
97+
3298
// TestDeviceParser verifies the given device strings is parsed correctly
3399
func TestDeviceParser(t *testing.T) {
34100
t.Parallel()

0 commit comments

Comments
 (0)