security options

commands/inspect.go

@@ -87,7 +87,7 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
 				securityOpts = append(securityOpts, fmt.Sprintf("%s=%q", k, v))
 			}
 			if len(securityOpts) > 0 {
-				fmt.Fprintf(w, "Security Options:\t%s\n", strings.Join(driverOpts, " "))
+				fmt.Fprintf(w, "Security Options:\t%s\n", strings.Join(securityOpts, " "))
 			}
 
 			if err := n.Err; err != nil {

driver/docker-container/driver.go

@@ -8,6 +8,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"sync/atomic"
 	"time"
@@ -112,7 +113,7 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 	useInit := true // let it cleanup exited processes created by BuildKit's container API
 	if err := l.Wrap("creating container "+d.Name, func() error {
 		hc := &container.HostConfig{
-			Privileged: false,
+			Privileged: true,
 			Mounts: []mount.Mount{
 				{
 					Type:   mount.TypeVolume,
@@ -126,6 +127,13 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 			hc.NetworkMode = container.NetworkMode(d.netMode)
 		}
 		if info, err := d.DockerAPI.Info(ctx); err == nil {
+			secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
+			l.Wrap("driverOpts"+info.CgroupDriver, func() error {
+				return nil
+			})
+			if err != nil {
+				return err
+			}
 			if info.CgroupDriver == "cgroupfs" {
 				// Place all buildkit containers inside this cgroup by default so limits can be attached
 				// to all build activity on the host.
@@ -134,23 +142,27 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 					hc.CgroupParent = d.cgroupParent
 				}
 			}
-			secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
-			if err != nil {
-				return err
-			}
 			for _, f := range secOpts {
 				if f.Name == "userns" {
 					hc.UsernsMode = "host"
 					break
 				}
 			}
-			hc.SecurityOpt = append(hc.SecurityOpt, "seccomp=unconfined")
-			hc.SecurityOpt = append(hc.SecurityOpt, "apparmor=unconfined")
-			hc.Privileged = false
-			//hc.SecurityOpt = append(hc.SecurityOpt, "systempaths=unconfined")
+			for i, k := range d.SecurityOpts {
+				switch {
+				case i == "systempaths":
 					hc.MaskedPaths = []string{}
 					hc.ReadonlyPaths = []string{}
-			//cfg.Env= append(cfg.Env,"systempaths=unconfined")
+				case i == "privileged":
+					val, err := strconv.ParseBool(k)
+					if err != nil {
+						return errors.Errorf("invalid value privleged security option, options are true/false")
+					}
+					hc.Privileged = val
+				default:
+					hc.SecurityOpt = append(hc.SecurityOpt, i+"="+k)
+				}
+			}
 		}
 		_, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name)
 		if err != nil && !errdefs.IsConflict(err) {

driver/docker-container/factory.go

@@ -61,7 +61,20 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 			return nil, errors.Errorf("invalid driver option %s for docker-container driver", k)
 		}
 	}
-
+	for i, _ := range cfg.SecurityOpts {
+		switch {
+		case i == "seccomp":
+			continue
+		case i == "apparmor":
+			continue
+		case i == "systempaths":
+			continue
+		case i == "privileged":
+			continue
+		default:
+			return nil, errors.Errorf("invalid Security option %s for docker-container driver", i)
+		}
+	}
 	return d, nil
 }