From 84f15d2a10072046fab606d7eb1e1a1bd7daf6e2 Mon Sep 17 00:00:00 2001 From: Max Goltzsche Date: Tue, 18 Jun 2024 01:00:23 +0200 Subject: [PATCH] feat: add seccomp.json file Closes #86 --- Dockerfile | 5 +++++ Makefile | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 770d0ad..aa31586 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,6 +32,10 @@ ARG PODMAN_BUILDTAGS='seccomp selinux apparmor exclude_graphdriver_devicemapper ARG PODMAN_CGO=1 RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch ${PODMAN_VERSION} https://github.com/containers/podman src/github.com/containers/podman WORKDIR $GOPATH/src/github.com/containers/podman +RUN set -eux; \ + COMMON_VERSION=$(grep -Eom1 'github.com/containers/common [^ ]+' go.mod | sed 's!github.com/containers/common !!'); \ + mkdir -p /etc/containers; \ + curl -fsSL "https://raw.githubusercontent.com/containers/common/${COMMON_VERSION}/pkg/seccomp/seccomp.json" > /etc/containers/seccomp.json RUN set -ex; \ export CGO_ENABLED=$PODMAN_CGO; \ make bin/podman LDFLAGS_PODMAN="-s -w -extldflags '-static'" BUILDTAGS='${PODMAN_BUILDTAGS}'; \ @@ -186,3 +190,4 @@ RUN apk add --no-cache iptables ip6tables COPY --from=catatonit /catatonit/catatonit /usr/local/lib/podman/catatonit COPY --from=runc /usr/local/bin/runc /usr/local/bin/runc COPY --from=aardvark-dns /aardvark-dns/target/release/aardvark-dns /usr/local/lib/podman/aardvark-dns +COPY --from=podman /etc/containers/seccomp.json /etc/containers/seccomp.json diff --git a/Makefile b/Makefile index f4cb525..ee4f2ff 100644 --- a/Makefile +++ b/Makefile @@ -101,10 +101,10 @@ tar: .podman-from-container .podman-from-container: podman rm -rf $(ASSET_DIR) mkdir -p $(ASSET_DIR)/etc $(ASSET_DIR)/usr/local - cp -r conf/containers $(ASSET_DIR)/etc/containers - cp README.md $(ASSET_DIR)/ + cp -r $(IMAGE_ROOTFS)/etc/containers $(ASSET_DIR)/etc/containers cp -r $(IMAGE_ROOTFS)/usr/local/lib $(ASSET_DIR)/usr/local/lib cp -r $(IMAGE_ROOTFS)/usr/local/bin $(ASSET_DIR)/usr/local/bin + cp README.md $(ASSET_DIR)/ signed-tar: tar .gpg @echo Running gpg signing container with GPG_SIGN_KEY and GPG_SIGN_KEY_PASSPHRASE