From 1d7b64e9ad6de32b7a334beca2e818b3bc2c8341 Mon Sep 17 00:00:00 2001
From: Ace-Tang <aceapril@126.com>
Date: Thu, 1 Nov 2018 11:11:07 +0800
Subject: [PATCH] feature: support get security options in daemon

show daemon security options, include four part,
seccomp, apparmor, selinux and userns.

Signed-off-by: Ace-Tang <aceapril@126.com>
---
 daemon/mgr/spec_seccomp_linux.go       |  5 +++++
 daemon/mgr/spec_seccomp_unsupported.go |  5 +++++
 daemon/mgr/system.go                   | 19 +++++++++++++++++--
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/daemon/mgr/spec_seccomp_linux.go b/daemon/mgr/spec_seccomp_linux.go
index c3519110e..cb7f7ff8e 100644
--- a/daemon/mgr/spec_seccomp_linux.go
+++ b/daemon/mgr/spec_seccomp_linux.go
@@ -12,6 +12,11 @@ import (
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )
 
+// IsSeccompEnable return true since pouch support seccomp in build
+func IsSeccompEnable() bool {
+	return true
+}
+
 // setupSeccomp creates seccomp security settings spec.
 func setupSeccomp(ctx context.Context, c *Container, s *specs.Spec) error {
 	if c.HostConfig.Privileged {
diff --git a/daemon/mgr/spec_seccomp_unsupported.go b/daemon/mgr/spec_seccomp_unsupported.go
index 1a6dd09fc..a0fc3ec41 100644
--- a/daemon/mgr/spec_seccomp_unsupported.go
+++ b/daemon/mgr/spec_seccomp_unsupported.go
@@ -9,6 +9,11 @@ import (
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )
 
+// IsSeccompEnable return false since pouch do not support seccomp in build
+func IsSeccompEnable() bool {
+	return false
+}
+
 func setupSeccomp(ctx context.Context, c *Container, s *specs.Spec) error {
 	if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
 		return fmt.Errorf("Seccomp is not support by pouch, can not set seccomp profile %s", c.SeccompProfile)
diff --git a/daemon/mgr/system.go b/daemon/mgr/system.go
index 11636e747..47ceb7c8e 100644
--- a/daemon/mgr/system.go
+++ b/daemon/mgr/system.go
@@ -19,6 +19,8 @@ import (
 	"github.com/alibaba/pouch/registry"
 	volumedriver "github.com/alibaba/pouch/storage/volume/driver"
 	"github.com/alibaba/pouch/version"
+	"github.com/opencontainers/runc/libcontainer/apparmor"
+	selinux "github.com/opencontainers/selinux/go-selinux"
 
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -112,6 +114,19 @@ func (mgr *SystemManager) Info() (types.SystemInfo, error) {
 	}
 	volumeDrivers := volumedriver.AllDriversName()
 
+	// security options get four part, seccomp, apparmor, selinux and userns
+	securityOpts := []string{}
+	sysInfo := system.NewInfo()
+	if sysInfo.Seccomp && IsSeccompEnable() {
+		securityOpts = append(securityOpts, "seccomp")
+	}
+	if sysInfo.AppArmor && apparmor.IsEnabled() {
+		securityOpts = append(securityOpts, "apparmor")
+	}
+	if selinux.GetEnabled() {
+		securityOpts = append(securityOpts, "selinux")
+	}
+
 	info := types.SystemInfo{
 		Architecture: runtime.GOARCH,
 		// CgroupDriver: ,
@@ -148,8 +163,8 @@ func (mgr *SystemManager) Info() (types.SystemInfo, error) {
 		PouchRootDir:       mgr.config.HomeDir,
 		RegistryConfig:     &mgr.config.RegistryService,
 		// RuncCommit: ,
-		Runtimes: mgr.config.Runtimes,
-		// SecurityOptions: ,
+		Runtimes:        mgr.config.Runtimes,
+		SecurityOptions: securityOpts,
 		ServerVersion:   version.Version,
 		ListenAddresses: mgr.config.Listen,
 	}