Podman: Specifying seccomp profiles for privileged containers

Created on 7 Aug 2020  路  2Comments  路  Source: containers/podman

Right now we clear the seccomp profile for privileged containers there:
https://github.com/containers/podman/blob/288ebec6e737c105fa0ef43412de4e0a8997feb9/pkg/specgen/generate/security.go#L161-L164

Recently we added a behavioral change which allows to still run apparmor profiles for privileged containers. I think for sake of consistency and testing we should apply the same behavior to seccomp. WDYT?

I have to mention that moby has right now the exact same behavior when speaking about seccomp, AppArmor and privileged containers, whereas Kubernetes still states that privileged containers should disable those features at all.

kinbug
Source
picture saschagrunert

Most helpful comment

I think that being internally consistent makes sense - we should obey explicit user configuration of Seccomp when given, even if --privileged has been passed.

picture mheon on 7 Aug 2020
👍2

All 2 comments

I think that being internally consistent makes sense - we should obey explicit user configuration of Seccomp when given, even if --privileged has been passed.

mheon picture mheon on 7 Aug 2020
👍2

I agree, I thought we did, please open a PR to fix this.

rhatdan picture rhatdan on 9 Aug 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MatMaul picture MatMaul  路  5Comments
NooneXe picture NooneXe  路  3Comments
daltschu22 picture daltschu22  路  4Comments
yufeifly picture yufeifly  路  4Comments
raukadah picture raukadah  路  4Comments