mheon
commented
4 years ago I think that being internally consistent makes sense - we should obey explicit user configuration of Seccomp when given, even if --privileged has been passed.
Closed saschagrunert closed 4 years ago
mheon
commented
4 years ago I think that being internally consistent makes sense - we should obey explicit user configuration of Seccomp when given, even if --privileged has been passed.
rhatdan
commented
4 years ago I agree, I thought we did, please open a PR to fix this.
Right now we clear the seccomp profile for privileged containers there: https://github.com/containers/podman/blob/288ebec6e737c105fa0ef43412de4e0a8997feb9/pkg/specgen/generate/security.go#L161-L164
Recently we added a behavioral change which allows to still run apparmor profiles for privileged containers. I think for sake of consistency and testing we should apply the same behavior to seccomp. WDYT?
I have to mention that moby has right now the exact same behavior when speaking about seccomp, AppArmor and privileged containers, whereas Kubernetes still states that privileged containers should disable those features at all.