internal/cri/sputil/seccomp_linux.go - third_party/containerd - Git at Google

 /*
    Copyright The containerd Authors.

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
 */

 package sputil

 import (
 	"errors"
 	"strings"

 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"

 	"github.com/containerd/containerd/v2/contrib/seccomp"
 	"github.com/containerd/containerd/v2/pkg/oci"
 )

 func GenerateSeccompSecurityProfile(profilePath string, unsetProfilePath string) (*runtime.SecurityProfile, error) {
 	if profilePath != "" {
 		return generateSecurityProfile(profilePath)
 	}
 	if unsetProfilePath != "" {
 		return generateSecurityProfile(unsetProfilePath)
 	}
 	return nil, nil
 }

 // GenerateSeccompSpecOpts generates containerd SpecOpts for seccomp.
 func GenerateSeccompSpecOpts(sp *runtime.SecurityProfile, privileged, seccompEnabled bool) (oci.SpecOpts, error) {
 	if privileged {
 		// Do not set seccomp profile when container is privileged
 		return nil, nil
 	}
 	if !seccompEnabled {
 		if sp != nil {
 			if sp.ProfileType != runtime.SecurityProfile_Unconfined {
 				return nil, errors.New("seccomp is not supported")
 			}
 		}
 		return nil, nil
 	}

 	if sp == nil {
 		return nil, nil
 	}

 	if sp.ProfileType != runtime.SecurityProfile_Localhost && sp.LocalhostRef != "" {
 		return nil, errors.New("seccomp config invalid LocalhostRef must only be set if ProfileType is Localhost")
 	}
 	switch sp.ProfileType {
 	case runtime.SecurityProfile_Unconfined:
 		// Do not set seccomp profile.
 		return nil, nil
 	case runtime.SecurityProfile_RuntimeDefault:
 		return seccomp.WithDefaultProfile(), nil
 	case runtime.SecurityProfile_Localhost:
 		// trimming the localhost/ prefix just in case even though it should not
 		// be necessary with the new SecurityProfile struct
 		return seccomp.WithProfile(strings.TrimPrefix(sp.LocalhostRef, profileNamePrefix)), nil
 	default:
 		return nil, errors.New("seccomp unknown ProfileType")
 	}
 }
	/*
	Copyright The containerd Authors.

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	*/

	package sputil

	import (
	"errors"
	"strings"

	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"

	"github.com/containerd/containerd/v2/contrib/seccomp"
	"github.com/containerd/containerd/v2/pkg/oci"
	)

	func GenerateSeccompSecurityProfile(profilePath string, unsetProfilePath string) (*runtime.SecurityProfile, error) {
	if profilePath != "" {
	return generateSecurityProfile(profilePath)
	}
	if unsetProfilePath != "" {
	return generateSecurityProfile(unsetProfilePath)
	}
	return nil, nil
	}

	// GenerateSeccompSpecOpts generates containerd SpecOpts for seccomp.
	func GenerateSeccompSpecOpts(sp *runtime.SecurityProfile, privileged, seccompEnabled bool) (oci.SpecOpts, error) {
	if privileged {
	// Do not set seccomp profile when container is privileged
	return nil, nil
	}
	if !seccompEnabled {
	if sp != nil {
	if sp.ProfileType != runtime.SecurityProfile_Unconfined {
	return nil, errors.New("seccomp is not supported")
	}
	}
	return nil, nil
	}

	if sp == nil {
	return nil, nil
	}

	if sp.ProfileType != runtime.SecurityProfile_Localhost && sp.LocalhostRef != "" {
	return nil, errors.New("seccomp config invalid LocalhostRef must only be set if ProfileType is Localhost")
	}
	switch sp.ProfileType {
	case runtime.SecurityProfile_Unconfined:
	// Do not set seccomp profile.
	return nil, nil
	case runtime.SecurityProfile_RuntimeDefault:
	return seccomp.WithDefaultProfile(), nil
	case runtime.SecurityProfile_Localhost:
	// trimming the localhost/ prefix just in case even though it should not
	// be necessary with the new SecurityProfile struct
	return seccomp.WithProfile(strings.TrimPrefix(sp.LocalhostRef, profileNamePrefix)), nil
	default:
	return nil, errors.New("seccomp unknown ProfileType")
	}
	}