MCPcopy Index your code
hub / github.com/docker/cli / parseSecurityOpts

Function parseSecurityOpts

cli/command/container/opts.go:929–960  ·  view source on GitHub ↗

takes a local seccomp daemon, reads the file contents for sending to the daemon

(securityOpts []string)

Source from the content-addressed store, hash-verified

927
928// takes a local seccomp daemon, reads the file contents for sending to the daemon
929func parseSecurityOpts(securityOpts []string) ([]string, error) {
930 for key, opt := range securityOpts {
931 k, v, ok := strings.Cut(opt, "=")
932 if !ok && k != "no-new-privileges" {
933 k, v, ok = strings.Cut(opt, ":")
934 }
935 if (!ok || v == "") && k != "no-new-privileges" {
936 // "no-new-privileges" is the only option that does not require a value.
937 return securityOpts, fmt.Errorf("invalid --security-opt: %q", opt)
938 }
939 if k == "seccomp" {
940 switch v {
941 case seccompProfileDefault, seccompProfileUnconfined:
942 // known special names for built-in profiles, nothing to do.
943 default:
944 // value may be a filename, in which case we send the profile's
945 // content if it's valid JSON.
946 f, err := os.ReadFile(v)
947 if err != nil {
948 return securityOpts, fmt.Errorf("opening seccomp profile (%s) failed: %w", v, err)
949 }
950 var b bytes.Buffer
951 if err := json.Compact(&b, f); err != nil {
952 return securityOpts, fmt.Errorf("compacting json for seccomp profile (%s) failed: %w", v, err)
953 }
954 securityOpts[key] = "seccomp=" + b.String()
955 }
956 }
957 }
958
959 return securityOpts, nil
960}
961
962// parseSystemPaths checks if `systempaths=unconfined` security option is set,
963// and returns the `MaskedPaths` and `ReadonlyPaths` accordingly. An updated

Callers 1

parseFunction · 0.85

Calls 1

StringMethod · 0.65

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…