takes a local seccomp daemon, reads the file contents for sending to the daemon
(securityOpts []string)
| 927 | |
| 928 | // takes a local seccomp daemon, reads the file contents for sending to the daemon |
| 929 | func parseSecurityOpts(securityOpts []string) ([]string, error) { |
| 930 | for key, opt := range securityOpts { |
| 931 | k, v, ok := strings.Cut(opt, "=") |
| 932 | if !ok && k != "no-new-privileges" { |
| 933 | k, v, ok = strings.Cut(opt, ":") |
| 934 | } |
| 935 | if (!ok || v == "") && k != "no-new-privileges" { |
| 936 | // "no-new-privileges" is the only option that does not require a value. |
| 937 | return securityOpts, fmt.Errorf("invalid --security-opt: %q", opt) |
| 938 | } |
| 939 | if k == "seccomp" { |
| 940 | switch v { |
| 941 | case seccompProfileDefault, seccompProfileUnconfined: |
| 942 | // known special names for built-in profiles, nothing to do. |
| 943 | default: |
| 944 | // value may be a filename, in which case we send the profile's |
| 945 | // content if it's valid JSON. |
| 946 | f, err := os.ReadFile(v) |
| 947 | if err != nil { |
| 948 | return securityOpts, fmt.Errorf("opening seccomp profile (%s) failed: %w", v, err) |
| 949 | } |
| 950 | var b bytes.Buffer |
| 951 | if err := json.Compact(&b, f); err != nil { |
| 952 | return securityOpts, fmt.Errorf("compacting json for seccomp profile (%s) failed: %w", v, err) |
| 953 | } |
| 954 | securityOpts[key] = "seccomp=" + b.String() |
| 955 | } |
| 956 | } |
| 957 | } |
| 958 | |
| 959 | return securityOpts, nil |
| 960 | } |
| 961 | |
| 962 | // parseSystemPaths checks if `systempaths=unconfined` security option is set, |
| 963 | // and returns the `MaskedPaths` and `ReadonlyPaths` accordingly. An updated |