Add support for custom seccomp profiles.

containerd/containerd.go

@@ -66,10 +66,18 @@ func (d *Driver) createContainer(image containerd.Image, containerName, containe
 		opts = append(opts, oci.WithPrivileged)
 	}
 
-	// Enable default seccomp profile.
+	if !config.Seccomp && config.SeccompProfile != "" {
+		return nil, fmt.Errorf("seccomp must be set to true, if using a custom seccomp_profile.")
+	}
+
+	// Enable default (or custom) seccomp profile.
 	// Allowed syscalls for the default seccomp profile: https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go#L51-L390
 	if config.Seccomp {
-		opts = append(opts, seccomp.WithDefaultProfile())
+		if config.SeccompProfile != "" {
+			opts = append(opts, seccomp.WithProfile(config.SeccompProfile))
+		} else {
+			opts = append(opts, seccomp.WithDefaultProfile())
+		}
 	}
 
 	// Launch container in read-only mode.

containerd/driver.go

@@ -93,6 +93,7 @@ var (
 		"devices":         hclspec.NewAttr("devices", "list(string)", false),
 		"privileged":      hclspec.NewAttr("privileged", "bool", false),
 		"seccomp":         hclspec.NewAttr("seccomp", "bool", false),
+		"seccomp_profile": hclspec.NewAttr("seccomp_profile", "string", false),
 		"readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false),
 		"host_network":    hclspec.NewAttr("host_network", "bool", false),
 		"mounts": hclspec.NewBlockList("mounts", hclspec.NewObject(map[string]*hclspec.Spec{
@@ -143,6 +144,7 @@ type TaskConfig struct {
 	CapDrop        []string `codec:"cap_drop"`
 	Devices        []string `codec:"devices"`
 	Seccomp        bool     `codec:"seccomp"`
+	SeccompProfile string   `codec:"seccomp_profile"`
 	Privileged     bool     `codec:"privileged"`
 	ReadOnlyRootfs bool     `codec:"readonly_rootfs"`
 	HostNetwork    bool     `codec:"host_network"`