takes a local seccomp daemon, reads the file contents for sending to the daemon
(securityOpts []string)
| 934 | |
| 935 | // takes a local seccomp daemon, reads the file contents for sending to the daemon |
| 936 | func parseSecurityOpts(securityOpts []string) ([]string, error) { |
| 937 | for key, opt := range securityOpts { |
| 938 | k, v, ok := strings.Cut(opt, "=") |
| 939 | if !ok && k != "no-new-privileges" { |
| 940 | k, v, ok = strings.Cut(opt, ":") |
| 941 | } |
| 942 | if (!ok || v == "") && k != "no-new-privileges" { |
| 943 | // "no-new-privileges" is the only option that does not require a value. |
| 944 | return securityOpts, fmt.Errorf("invalid --security-opt: %q", opt) |
| 945 | } |
| 946 | if k == "seccomp" { |
| 947 | switch v { |
| 948 | case seccompProfileDefault, seccompProfileUnconfined: |
| 949 | // known special names for built-in profiles, nothing to do. |
| 950 | default: |
| 951 | // value may be a filename, in which case we send the profile's |
| 952 | // content if it's valid JSON. |
| 953 | f, err := os.ReadFile(v) |
| 954 | if err != nil { |
| 955 | return securityOpts, fmt.Errorf("opening seccomp profile (%s) failed: %w", v, err) |
| 956 | } |
| 957 | var b bytes.Buffer |
| 958 | if err := json.Compact(&b, f); err != nil { |
| 959 | return securityOpts, fmt.Errorf("compacting json for seccomp profile (%s) failed: %w", v, err) |
| 960 | } |
| 961 | securityOpts[key] = "seccomp=" + b.String() |
| 962 | } |
| 963 | } |
| 964 | } |
| 965 | |
| 966 | return securityOpts, nil |
| 967 | } |
| 968 | |
| 969 | // parseSystemPaths checks if `systempaths=unconfined` security option is set, |
| 970 | // and returns the `MaskedPaths` and `ReadonlyPaths` accordingly. An updated |