Skip to content

compat API: accept inline seccomp profiles#28985

Open
saurabh235711 wants to merge 1 commit into
podman-container-tools:mainfrom
saurabh235711:compat-api-inline-seccomp
Open

compat API: accept inline seccomp profiles#28985
saurabh235711 wants to merge 1 commit into
podman-container-tools:mainfrom
saurabh235711:compat-api-inline-seccomp

Conversation

@saurabh235711

@saurabh235711 saurabh235711 commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

Docker-compatible clients may pass the seccomp profile JSON itself via HostConfig.SecurityOpt, as seccomp=..., instead of passing a path to a profile JSON.

Detect inline JSON profiles before Windows path conversion and profile loading, and pass it directly to the seccomp loader. When inline JSON is not detected, proceed with loading the profile from path.

Add unit tests for loading profile from path and inline seccomp profiles, cover Windows path-conversion behaviour for inline JSON, and add an API v2 regression test for containers/create with HostConfig.SecurityOpt.

Fixes: #27710

Checklist

Ensure you have completed the following checklist for your pull request to be reviewed:

  • Certify you wrote the patch or otherwise have the right to pass it on as an open-source patch by signing all
    commits. (git commit -s). (If needed, use git commit -s --amend). The author email must match
    the sign-off email address. See CONTRIBUTING.md
    for more information.
  • Referenced issues using Fixes: #00000 in commit message (if applicable)
  • Tests have been added/updated (or no tests are needed)
  • Documentation has been updated (or no documentation changes are needed)
  • All commits pass make validatepr (format/lint checks)
  • Release note entered in the section below (or None if no user-facing changes)

Does this PR introduce a user-facing change?

Fixed Docker-compatible container creation to accept inline seccomp profile JSON

@saurabh235711
compat API: accept inline seccomp profiles
6bba7c2 
Docker-compatible clients may pass the seccomp profile JSON itself via
HostConfig.SecurityOpt, as seccomp=..., instead of passing a path to a
profile JSON.

Detect inline JSON profiles before Windows path conversion and profile
loading, and pass it directly to the seccomp loader. When inline JSON
is not detected, proceed with loading the profile from path.

Add unit tests for loading profile from path and inline seccomp
profiles, cover Windows path-conversion behaviour for inline JSON, and
add an API v2 regression test for containers/create with
HostConfig.SecurityOpt.

Fixes: podman-container-tools#27710
Signed-off-by: Saurabh Singh <saurabh235711@proton.me>
@saurabh235711 saurabh235711 force-pushed the compat-api-inline-seccomp branch from b84c3ba to 6bba7c2 Compare June 19, 2026 12:24
@saurabh235711 saurabh235711 marked this pull request as ready for review June 19, 2026 12:38
@saurabh235711

saurabh235711 commented Jun 19, 2026

Copy link
Copy Markdown
Author

/packit retest-failed

Luap99
Luap99 requested changes Jun 19, 2026
View reviewed changes

@Luap99 Luap99 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks I think it makes sense to accept the json as string but I Really prefer a new field for that then.

Comment thread pkg/specgen/specgen.go
SeccompPolicy string `json:"seccomp_policy,omitempty"`
// SeccompProfilePath is the path to a JSON file containing the
// container's Seccomp profile.
// container's Seccomp profile, or the JSON profile itself.

@Luap99 Luap99 Jun 19, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That seem not nice deisng wise.

If we want to accept inline json specgen should gain another field IMO instead of trying to multi purpose things.
Then you can avoid all the IsProfileInline() special cases.

With the new field them the docker compat API endpoint can then just set this if it accepts the json as string.

cc @mheon

@saurabh235711 saurabh235711 Jun 19, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed that overloading SeccompProfilePath is not ideal. Right now, it can also be set to unconfined. Do you think it makes sense to use a different field for that as well, so that SeccompProfilePath always contains a path?

@Luap99 Luap99 Jun 19, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given unconfined is exposed as special value to users already we must continue to support it so lets not chnage anything for that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Luap99 Luap99 Luap99 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Podman Socket API exceeds file name limit when passing seccomp profile, where Docker would succeed

2 participants

@saurabh235711 @Luap99