Merge pull request docker#20428 from jfrazelle/generate-conversion

generate seccomp profile convert type
gg7 · Feb 26, 2016 · c47674e · c47674e
2 parents 9792308 + 11435b6
commit c47674e
Show file tree

Hide file tree

Showing 8 changed files with 980 additions and 961 deletions.
diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go
@@ -72,7 +72,10 @@ func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks)
 		}
 
 		if c.SeccompProfile == "" {
-			container.Seccomp = seccomp.GetDefaultProfile()
+			container.Seccomp, err = seccomp.GetDefaultProfile()
+			if err != nil {
+				return nil, err
+			}
 		}
 	}
 	// add CAP_ prefix to all caps for new libcontainer update to match

diff --git a/integration-cli/docker_cli_run_unix_test.go b/integration-cli/docker_cli_run_unix_test.go
@@ -909,3 +909,13 @@ func (s *DockerSuite) TestRunApparmorProcDirectory(c *check.C) {
 		c.Fatalf("expected chmod 777 /proc/1/attr/current to fail, got %s: %v", out, err)
 	}
 }
+
+// make sure the default profile can be successfully parsed (using unshare as it is
+// something which we know is blocked in the default profile)
+func (s *DockerSuite) TestRunSeccompWithDefaultProfile(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled)
+
+	out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp:../profiles/seccomp/default.json", "debian:jessie", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "unshare: unshare failed: Operation not permitted")
+}