buildah/seccomp.go

//go:build seccomp && linux
// +build seccomp,linux

package buildah

import (
	"fmt"
	"io/ioutil"

	"github.com/containers/common/pkg/seccomp"
	"github.com/opencontainers/runtime-spec/specs-go"
)

func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {
	switch seccompProfilePath {
	case "unconfined":
		spec.Linux.Seccomp = nil
	case "":
		seccompConfig, err := seccomp.GetDefaultProfile(spec)
		if err != nil {
			return fmt.Errorf("loading default seccomp profile failed: %w", err)
		}
		spec.Linux.Seccomp = seccompConfig
	default:
		seccompProfile, err := ioutil.ReadFile(seccompProfilePath)
		if err != nil {
			return fmt.Errorf("opening seccomp profile failed: %w", err)
		}
		seccompConfig, err := seccomp.LoadProfile(string(seccompProfile), spec)
		if err != nil {
			return fmt.Errorf("loading seccomp profile (%s) failed: %w", seccompProfilePath, err)
		}
		spec.Linux.Seccomp = seccompConfig
	}
	return nil
}
Switch to golang native error wrapping We now use the golang error wrapping format specifier `%w` instead of the deprecated github.com/pkg/errors package. Signed-off-by: Sascha Grunert <sgrunert@redhat.com> 2022-07-06 17:14:06 +08:00			`//go:build seccomp && linux`
run: clear default seccomp filter if not enabled When seccomp is not enabled, make sure to clear any default setting which runtime-tools supplied for us. Likewise, if SELinux is not enabled, don't set a process label or a mount label. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #988 Approved by: rhatdan 2018-09-05 22:44:28 +08:00			`// +build seccomp,linux`
build without seccomp If the seccomp build tag is disabled, build without it. Signed-off-by: baude <bbaude@redhat.com> Closes: #819 Approved by: rhatdan 2018-06-26 02:50:52 +08:00
			`package buildah`

			`import (`
Switch to golang native error wrapping We now use the golang error wrapping format specifier `%w` instead of the deprecated github.com/pkg/errors package. Signed-off-by: Sascha Grunert <sgrunert@redhat.com> 2022-07-06 17:14:06 +08:00			`"fmt"`
build without seccomp If the seccomp build tag is disabled, build without it. Signed-off-by: baude <bbaude@redhat.com> Closes: #819 Approved by: rhatdan 2018-06-26 02:50:52 +08:00			`"io/ioutil"`

Switch to containers/common for seccomp seccomp/containers-golang is deprecated and we should switch to containers/common/pkg/seccomp instead. Signed-off-by: Sascha Grunert <sgrunert@suse.com> 2020-08-28 17:38:44 +08:00			`"github.com/containers/common/pkg/seccomp"`
build without seccomp If the seccomp build tag is disabled, build without it. Signed-off-by: baude <bbaude@redhat.com> Closes: #819 Approved by: rhatdan 2018-06-26 02:50:52 +08:00			`"github.com/opencontainers/runtime-spec/specs-go"`
			`)`

			`func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {`
			`switch seccompProfilePath {`
			`case "unconfined":`
			`spec.Linux.Seccomp = nil`
			`case "":`
			`seccompConfig, err := seccomp.GetDefaultProfile(spec)`
			`if err != nil {`
Switch to golang native error wrapping We now use the golang error wrapping format specifier `%w` instead of the deprecated github.com/pkg/errors package. Signed-off-by: Sascha Grunert <sgrunert@redhat.com> 2022-07-06 17:14:06 +08:00			`return fmt.Errorf("loading default seccomp profile failed: %w", err)`
build without seccomp If the seccomp build tag is disabled, build without it. Signed-off-by: baude <bbaude@redhat.com> Closes: #819 Approved by: rhatdan 2018-06-26 02:50:52 +08:00			`}`
			`spec.Linux.Seccomp = seccompConfig`
			`default:`
			`seccompProfile, err := ioutil.ReadFile(seccompProfilePath)`
			`if err != nil {`
Fix stutters Podman adds an Error: to every error message. So starting an error message with "error" ends up being reported to the user as Error: error ... This patch removes the stutter. Also ioutil.ReadFile errors report the Path, so wrapping the err message with the path causes a stutter. Signed-off-by: Daniel J Walsh dwalsh@redhat.com [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> 2022-09-18 18:36:08 +08:00			`return fmt.Errorf("opening seccomp profile failed: %w", err)`
build without seccomp If the seccomp build tag is disabled, build without it. Signed-off-by: baude <bbaude@redhat.com> Closes: #819 Approved by: rhatdan 2018-06-26 02:50:52 +08:00			`}`
			`seccompConfig, err := seccomp.LoadProfile(string(seccompProfile), spec)`
			`if err != nil {`
Switch to golang native error wrapping We now use the golang error wrapping format specifier `%w` instead of the deprecated github.com/pkg/errors package. Signed-off-by: Sascha Grunert <sgrunert@redhat.com> 2022-07-06 17:14:06 +08:00			`return fmt.Errorf("loading seccomp profile (%s) failed: %w", seccompProfilePath, err)`
build without seccomp If the seccomp build tag is disabled, build without it. Signed-off-by: baude <bbaude@redhat.com> Closes: #819 Approved by: rhatdan 2018-06-26 02:50:52 +08:00			`}`
			`spec.Linux.Seccomp = seccompConfig`
			`}`
			`return nil`
			`}`