Error if container requires AppArmor, SELinux or seccomp

Closes #35

PiperOrigin-RevId: 195840128
Change-Id: I31c1ad9b51ec53abb6f0b485d35622d4e9764b29

1 files changed, 19 insertions, 0 deletions

diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go
index 0354a64b9..2a5eda6ae 100644
--- a/runsc/sandbox/sandbox.go
+++ b/runsc/sandbox/sandbox.go
@@ -53,6 +53,22 @@ func validateID(id string) error {
 	return nil
 }
 
+func validateSpec(spec *specs.Spec) error {
+	if spec.Process.SelinuxLabel != "" {
+		return fmt.Errorf("SELinux is not supported: %s", spec.Process.SelinuxLabel)
+	}
+
+	// Docker uses AppArmor by default, so just log that it's being ignored.
+	if spec.Process.ApparmorProfile != "" {
+		log.Warningf("AppArmor profile %q is being ignored", spec.Process.ApparmorProfile)
+	}
+	// TODO: Apply seccomp to application inside sandbox.
+	if spec.Linux != nil && spec.Linux.Seccomp != nil {
+		log.Warningf("Seccomp spec is being ignored")
+	}
+	return nil
+}
+
 // Sandbox wraps a child sandbox process, and is responsible for saving and
 // loading sandbox metadata to disk.
 //
@@ -110,6 +126,9 @@ func Create(id string, spec *specs.Spec, conf *boot.Config, bundleDir, consoleSo
 	if err := validateID(id); err != nil {
 		return nil, err
 	}
+	if err := validateSpec(spec); err != nil {
+		return nil, err
+	}
 
 	sandboxRoot := filepath.Join(conf.RootDir, id)
 	if exists(sandboxRoot) {