buildah/seccomp.go

//go:build seccomp && linux

package buildah

import (
	"fmt"
	"os"

	"github.com/opencontainers/runtime-spec/specs-go"
	"go.podman.io/common/pkg/seccomp"
)

func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {
	switch seccompProfilePath {
	case "unconfined":
		spec.Linux.Seccomp = nil
	case "":
		seccompConfig, err := seccomp.GetDefaultProfile(spec)
		if err != nil {
			return fmt.Errorf("loading default seccomp profile failed: %w", err)
		}
		spec.Linux.Seccomp = seccompConfig
	default:
		seccompProfile, err := os.ReadFile(seccompProfilePath)
		if err != nil {
			return fmt.Errorf("opening seccomp profile failed: %w", err)
		}
		seccompConfig, err := seccomp.LoadProfile(string(seccompProfile), spec)
		if err != nil {
			return fmt.Errorf("loading seccomp profile (%s) failed: %w", seccompProfilePath, err)
		}
		spec.Linux.Seccomp = seccompConfig
	}
	return nil
}
Switch to golang native error wrapping We now use the golang error wrapping format specifier `%w` instead of the deprecated github.com/pkg/errors package. Signed-off-by: Sascha Grunert <sgrunert@redhat.com> 2022-07-06 17:14:06 +08:00			`//go:build seccomp && linux`
build without seccomp If the seccomp build tag is disabled, build without it. Signed-off-by: baude <bbaude@redhat.com> Closes: #819 Approved by: rhatdan 2018-06-26 02:50:52 +08:00
			`package buildah`

			`import (`
Switch to golang native error wrapping We now use the golang error wrapping format specifier `%w` instead of the deprecated github.com/pkg/errors package. Signed-off-by: Sascha Grunert <sgrunert@redhat.com> 2022-07-06 17:14:06 +08:00			`"fmt"`
Replace io/ioutil calls with os calls In golang 1.19, `io/ioutil` is fully deprecated preventing Buildah from compiling. Replace all calls with equivalent calls from the `os` package. Signed-off-by: Chris Evich <cevich@redhat.com> 2022-11-15 00:22:45 +08:00			`"os"`
build without seccomp If the seccomp build tag is disabled, build without it. Signed-off-by: baude <bbaude@redhat.com> Closes: #819 Approved by: rhatdan 2018-06-26 02:50:52 +08:00
			`"github.com/opencontainers/runtime-spec/specs-go"`
Switch common, storage and image to monorepo. Signed-off-by: Jan Kaluza <jkaluza@redhat.com> 2025-08-29 20:55:12 +08:00			`"go.podman.io/common/pkg/seccomp"`
build without seccomp If the seccomp build tag is disabled, build without it. Signed-off-by: baude <bbaude@redhat.com> Closes: #819 Approved by: rhatdan 2018-06-26 02:50:52 +08:00			`)`

			`func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {`
			`switch seccompProfilePath {`
			`case "unconfined":`
			`spec.Linux.Seccomp = nil`
			`case "":`
			`seccompConfig, err := seccomp.GetDefaultProfile(spec)`
			`if err != nil {`
Switch to golang native error wrapping We now use the golang error wrapping format specifier `%w` instead of the deprecated github.com/pkg/errors package. Signed-off-by: Sascha Grunert <sgrunert@redhat.com> 2022-07-06 17:14:06 +08:00			`return fmt.Errorf("loading default seccomp profile failed: %w", err)`
build without seccomp If the seccomp build tag is disabled, build without it. Signed-off-by: baude <bbaude@redhat.com> Closes: #819 Approved by: rhatdan 2018-06-26 02:50:52 +08:00			`}`
			`spec.Linux.Seccomp = seccompConfig`
			`default:`
Replace io/ioutil calls with os calls In golang 1.19, `io/ioutil` is fully deprecated preventing Buildah from compiling. Replace all calls with equivalent calls from the `os` package. Signed-off-by: Chris Evich <cevich@redhat.com> 2022-11-15 00:22:45 +08:00			`seccompProfile, err := os.ReadFile(seccompProfilePath)`
build without seccomp If the seccomp build tag is disabled, build without it. Signed-off-by: baude <bbaude@redhat.com> Closes: #819 Approved by: rhatdan 2018-06-26 02:50:52 +08:00			`if err != nil {`
Fix stutters Podman adds an Error: to every error message. So starting an error message with "error" ends up being reported to the user as Error: error ... This patch removes the stutter. Also ioutil.ReadFile errors report the Path, so wrapping the err message with the path causes a stutter. Signed-off-by: Daniel J Walsh dwalsh@redhat.com [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> 2022-09-18 18:36:08 +08:00			`return fmt.Errorf("opening seccomp profile failed: %w", err)`
build without seccomp If the seccomp build tag is disabled, build without it. Signed-off-by: baude <bbaude@redhat.com> Closes: #819 Approved by: rhatdan 2018-06-26 02:50:52 +08:00			`}`
			`seccompConfig, err := seccomp.LoadProfile(string(seccompProfile), spec)`
			`if err != nil {`
Switch to golang native error wrapping We now use the golang error wrapping format specifier `%w` instead of the deprecated github.com/pkg/errors package. Signed-off-by: Sascha Grunert <sgrunert@redhat.com> 2022-07-06 17:14:06 +08:00			`return fmt.Errorf("loading seccomp profile (%s) failed: %w", seccompProfilePath, err)`
build without seccomp If the seccomp build tag is disabled, build without it. Signed-off-by: baude <bbaude@redhat.com> Closes: #819 Approved by: rhatdan 2018-06-26 02:50:52 +08:00			`}`
			`spec.Linux.Seccomp = seccompConfig`
			`}`
			`return nil`
			`}`