MCPcopy
hub / github.com/nektos/act / parseSecurityOpts

Function parseSecurityOpts

pkg/container/docker_cli.go:936–967  ·  view source on GitHub ↗

takes a local seccomp daemon, reads the file contents for sending to the daemon

(securityOpts []string)

Source from the content-addressed store, hash-verified

934
935// takes a local seccomp daemon, reads the file contents for sending to the daemon
936func parseSecurityOpts(securityOpts []string) ([]string, error) {
937 for key, opt := range securityOpts {
938 k, v, ok := strings.Cut(opt, "=")
939 if !ok && k != "no-new-privileges" {
940 k, v, ok = strings.Cut(opt, ":")
941 }
942 if (!ok || v == "") && k != "no-new-privileges" {
943 // "no-new-privileges" is the only option that does not require a value.
944 return securityOpts, fmt.Errorf("invalid --security-opt: %q", opt)
945 }
946 if k == "seccomp" {
947 switch v {
948 case seccompProfileDefault, seccompProfileUnconfined:
949 // known special names for built-in profiles, nothing to do.
950 default:
951 // value may be a filename, in which case we send the profile's
952 // content if it's valid JSON.
953 f, err := os.ReadFile(v)
954 if err != nil {
955 return securityOpts, fmt.Errorf("opening seccomp profile (%s) failed: %w", v, err)
956 }
957 var b bytes.Buffer
958 if err := json.Compact(&b, f); err != nil {
959 return securityOpts, fmt.Errorf("compacting json for seccomp profile (%s) failed: %w", v, err)
960 }
961 securityOpts[key] = "seccomp=" + b.String()
962 }
963 }
964 }
965
966 return securityOpts, nil
967}
968
969// parseSystemPaths checks if `systempaths=unconfined` security option is set,
970// and returns the `MaskedPaths` and `ReadonlyPaths` accordingly. An updated

Callers 1

parseFunction · 0.85

Calls 1

StringMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…