From 7b0bde4362d342c412dcf50f11e75988c0b4b459 Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@redhat.com>
Date: Tue, 19 Sep 2017 19:39:58 +0200
Subject: [PATCH] container_create: fix seccomp annotations

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
---
 server/container_create.go |  8 ++++----
 server/seccomp/seccomp.go  |  2 ++
 test/seccomp.bats          | 18 +++++++++---------
 3 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/server/container_create.go b/server/container_create.go
index 4b027759..3b5a0f6c 100644
--- a/server/container_create.go
+++ b/server/container_create.go
@@ -890,13 +890,13 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 	}
 	specgen.AddAnnotation(annotations.Annotations, string(kubeAnnotationsJSON))
 
+	metaname := metadata.Name
 	if !privileged {
-		if err = s.setupSeccomp(&specgen, containerName, sb.Annotations()); err != nil {
+		if err = s.setupSeccomp(&specgen, metaname, sb.Annotations()); err != nil {
 			return nil, err
 		}
 	}
 
-	metaname := metadata.Name
 	attempt := metadata.Attempt
 	containerInfo, err := s.StorageRuntimeServer().CreateContainer(s.ImageContext(),
 		sb.Name(), sb.ID(),
@@ -1020,9 +1020,9 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 }
 
 func (s *Server) setupSeccomp(specgen *generate.Generator, cname string, sbAnnotations map[string]string) error {
-	profile, ok := sbAnnotations["security.alpha.kubernetes.io/seccomp/container/"+cname]
+	profile, ok := sbAnnotations["container.seccomp.security.alpha.kubernetes.io/"+cname]
 	if !ok {
-		profile, ok = sbAnnotations["security.alpha.kubernetes.io/seccomp/pod"]
+		profile, ok = sbAnnotations["seccomp.security.alpha.kubernetes.io/pod"]
 		if !ok {
 			// running w/o seccomp, aka unconfined
 			profile = seccompUnconfined
diff --git a/server/seccomp/seccomp.go b/server/seccomp/seccomp.go
index d8ec63d2..cf77c827 100644
--- a/server/seccomp/seccomp.go
+++ b/server/seccomp/seccomp.go
@@ -11,6 +11,7 @@ import (
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	libseccomp "github.com/seccomp/libseccomp-golang"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
 
@@ -24,6 +25,7 @@ func IsEnabled() bool {
 			enabled = true
 		}
 	}
+	logrus.Debugf("seccomp status: %v", enabled)
 	return enabled
 }
 
diff --git a/test/seccomp.bats b/test/seccomp.bats
index 56f30381..b77a7f8c 100644
--- a/test/seccomp.bats
+++ b/test/seccomp.bats
@@ -21,7 +21,7 @@ function teardown() {
 
 	start_crio "$TESTDIR"/seccomp_profile1.json
 
-	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/k8s_testname_seccomp_1_redhat\.test\.crio_redhat-test-crio_0": "unconfined"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp1.json
+	sed -e 's/%VALUE%/,"container\.seccomp\.security\.alpha\.kubernetes\.io\/testname": "unconfined"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp1.json
 	run crioctl pod run --name seccomp1 --config "$TESTDIR"/seccomp1.json
 	echo "$output"
 	[ "$status" -eq 0 ]
@@ -57,7 +57,7 @@ function teardown() {
 
 	start_crio "$TESTDIR"/seccomp_profile1.json
 
-	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/k8s_testname2_seccomp2_redhat\.test\.crio_redhat-test-crio_0": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json
+	sed -e 's/%VALUE%/,"container\.seccomp\.security\.alpha\.kubernetes\.io\/testname2": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json
 	run crioctl pod run --name seccomp2 --config "$TESTDIR"/seccomp2.json
 	echo "$output"
 	[ "$status" -eq 0 ]
@@ -94,7 +94,7 @@ function teardown() {
 
 	start_crio "$TESTDIR"/seccomp_profile1.json
 
-	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/k8s_testname3_seccomp3_redhat\.test\.crio_redhat-test-crio_1": "notgood"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp3.json
+	sed -e 's/%VALUE%/,"container\.seccomp\.security\.alpha\.kubernetes\.io\/testname3": "notgood"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp3.json
 	run crioctl pod run --name seccomp3 --config "$TESTDIR"/seccomp3.json
 	echo "$output"
 	[ "$status" -eq 0 ]
@@ -145,7 +145,7 @@ function teardown() {
 
 	start_crio "$TESTDIR"/seccomp_profile1.json
 
-	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.crio-seccomp2-1-testname2-0-not-exists": "unconfined", "security\.alpha\.kubernetes\.io\/seccomp\/pod": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp5.json
+	sed -e 's/%VALUE%/,"container\.seccomp\.security\.alpha\.kubernetes\.io\/redhat\.test\.crio-seccomp2-1-testname2-0-not-exists": "unconfined", "seccomp\.security\.alpha\.kubernetes\.io\/pod": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp5.json
 	run crioctl pod run --name seccomp5 --config "$TESTDIR"/seccomp5.json
 	echo "$output"
 	[ "$status" -eq 0 ]
@@ -185,7 +185,7 @@ function teardown() {
 
 	start_crio "$TESTDIR"/seccomp_profile1.json
 
-	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.crio-seccomp6-1-testname6-0-not-exists": "runtime-default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp6.json
+	sed -e 's/%VALUE%/,"container\.seccomp\.security\.alpha\.kubernetes\.io\/redhat\.test\.crio-seccomp6-1-testname6-0-not-exists": "runtime-default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp6.json
 	run crioctl pod run --name seccomp6 --config "$TESTDIR"/seccomp6.json
 	echo "$output"
 	[ "$status" -eq 0 ]
@@ -221,7 +221,7 @@ function teardown() {
 
 	start_crio "$TESTDIR"/seccomp_profile1.json
 
-	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/pod": "unconfined"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp1.json
+	sed -e 's/%VALUE%/,"seccomp\.security\.alpha\.kubernetes\.io\/pod": "unconfined"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp1.json
 	run crioctl pod run --name seccomp1 --config "$TESTDIR"/seccomp1.json
 	echo "$output"
 	[ "$status" -eq 0 ]
@@ -257,7 +257,7 @@ function teardown() {
 
 	start_crio "$TESTDIR"/seccomp_profile1.json
 
-	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/pod": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json
+	sed -e 's/%VALUE%/,"seccomp\.security\.alpha\.kubernetes\.io\/pod": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json
 	run crioctl pod run --name seccomp2 --config "$TESTDIR"/seccomp2.json
 	echo "$output"
 	[ "$status" -eq 0 ]
@@ -295,7 +295,7 @@ function teardown() {
 	start_crio "$TESTDIR"/seccomp_profile1.json
 
 	# 3. test running with pod wrong profile name
-	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/pod": "notgood"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp3.json
+	sed -e 's/%VALUE%/,"seccomp\.security\.alpha\.kubernetes\.io\/pod": "notgood"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp3.json
 	run crioctl pod run --name seccomp3 --config "$TESTDIR"/seccomp3.json
 	echo "$output"
 	[ "$status" -eq 0 ]
@@ -344,7 +344,7 @@ function teardown() {
 
 	start_crio "$TESTDIR"/seccomp_profile1.json
 
-	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/k8s_testname2_seccomp2_redhat\.test\.crio_redhat-test-crio_0": "docker\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json
+	sed -e 's/%VALUE%/,"container\.seccomp\.security\.alpha\.kubernetes\.io\/testname2": "docker\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json
 	run crioctl pod run --name seccomp2 --config "$TESTDIR"/seccomp2.json
 	echo "$output"
 	[ "$status" -eq 0 ]