Merge pull request #4525 from shishir-a412ed/seccomp

estesp · web-flow · commit 43394312cb1e · 2020-09-03T09:14:30.000-04:00
ctr: CLI Flag (seccomp-profile) for setting custom seccomp profile.
diff --git a/cmd/ctr/commands/commands.go b/cmd/ctr/commands/commands.go
@@ -155,6 +155,10 @@ var (
 			Name:  "seccomp",
 			Usage: "enable the default seccomp profile",
 		},
+		cli.StringFlag{
+			Name:  "seccomp-profile",
+			Usage: "file path to custom seccomp profile. seccomp must be set to true, before using seccomp-profile",
+		},
 	}
 )
 
diff --git a/cmd/ctr/commands/run/run_unix.go b/cmd/ctr/commands/run/run_unix.go
@@ -20,6 +20,7 @@ package run
 
 import (
 	gocontext "context"
+	"fmt"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -185,9 +186,21 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 		if context.Bool("net-host") {
 			opts = append(opts, oci.WithHostNamespace(specs.NetworkNamespace), oci.WithHostHostsFile, oci.WithHostResolvconf)
 		}
+
+		seccompProfile := context.String("seccomp-profile")
+
+		if !context.Bool("seccomp") && seccompProfile != "" {
+			return nil, fmt.Errorf("seccomp must be set to true, if using a custom seccomp-profile")
+		}
+
 		if context.Bool("seccomp") {
-			opts = append(opts, seccomp.WithDefaultProfile())
+			if seccompProfile != "" {
+				opts = append(opts, seccomp.WithProfile(seccompProfile))
+			} else {
+				opts = append(opts, seccomp.WithDefaultProfile())
+			}
 		}
+
 		if cpus := context.Float64("cpus"); cpus > 0.0 {
 			var (
 				period = uint64(100000)

Original file line number	Diff line number	Diff line change
`@@ -155,6 +155,10 @@ var (`
`155`	`155`	`Name: "seccomp",`
`156`	`156`	`Usage: "enable the default seccomp profile",`
`157`	`157`	`},`
	`158`	`+ cli.StringFlag{`
	`159`	`+ Name: "seccomp-profile",`
	`160`	`+ Usage: "file path to custom seccomp profile. seccomp must be set to true, before using seccomp-profile",`
	`161`	`+ },`
`158`	`162`	`}`
`159`	`163`	`)`
`160`	`164`