"Error: opening seccomp profile failed" on Windows due to missing path translation

[apyrgio]

Issue Description

Using a custom seccomp profile fails on Windows:

PS C:\Users\dz> podman run --security-opt 'seccomp=C:\Users\dz\AppData\Local\dangerzone\dangerzone\Cache\seccomp.gvisor.json' hello-world
Error: opening seccomp profile failed: open C:\Users\dz\AppData\Local\dangerzone\dangerzone\Cache\seccomp.gvisor.json: no such file or directory

Steps to reproduce the issue

Steps to reproduce the issue:

1. Create a seccomp profile, or grab one from https://github.com/containers/common/blob/d3283f8401eeeb21f3c59a425b5461f069e199a7/pkg/seccomp/seccomp.json
2. Start a Podman machine on Windows (either via Podman Desktop, or with podman machine init --now)
3. Start a container with podman run --security-opt 'seccomp=<path_to_seccomp>' hello-world
4. The command should fail with Error: opening seccomp profile failed: open ... no such file or directory

Describe the results you received

The underlying issue is that Podman does not translate the filepath on the Windows host:

C:\Users\dz\AppData\Local\dangerzone\dangerzone\Cache\seccomp.gvisor.json

to the one in the WSL2 VM:

/mnt/c/Users/dz/AppData/Local/dangerzone/dangerzone/Cache/seccomp.gvisor.json

Describe the results you expected

Docker performs this translation under the hood, so I would expect Podman to do the same, to maintain compatibility.

podman info output

Client:
  APIVersion: 5.5.1
  Built: 1749160159
  BuiltTime: Thu Jun  5 14:49:19 2025
  GitCommit: 850db76dd78a0641eddb9ee19ee6f60d2c59bcfa
  GoVersion: go1.24.3
  Os: windows
  OsArch: windows/amd64
  Version: 5.5.1
host:
  arch: amd64
  buildahVersion: 1.40.0
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.13-1.fc41.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.13, commit: '
  cpuUtilization:
    idlePercent: 98.53
    systemPercent: 1.15
    userPercent: 0.32
  cpus: 8
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: container
    version: "41"
  eventLogger: journald
  freeLocks: 2047
  hostname: DESKTOP-QBCMT6T
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.6.87.2-microsoft-standard-WSL2
  linkmode: dynamic
  logDriver: journald
  memFree: 5648322560
  memTotal: 6211989504
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.15.0-1.fc41.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.15.0
    package: netavark-1.15.1-1.fc41.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.15.1
  ociRuntime:
    name: crun
    package: crun-1.21-1.fc41.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.21
      commit: 10269840aa07fb7e6b7e1acff6198692d8ff5c88
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20250512.g8ec1341-1.fc41.x86_64
    version: ""
  remoteSocket:
    exists: true
    path: unix:///run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: true
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 2147483648
  swapTotal: 2147483648
  uptime: 0h 45m 21.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /home/user/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/user/.local/share/containers/storage
  graphRootAllocated: 1081101176832
  graphRootUsed: 2031484928
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 2
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/user/.local/share/containers/storage/volumes
version:
  APIVersion: 5.5.0
  BuildOrigin: Fedora Project
  Built: 1747180800
  BuiltTime: Tue May 13 17:00:00 2025
  GitCommit: 0dbcb51477ee7ab8d3b47d30facf71fc38bb0c98
  GoVersion: go1.23.8
  Os: linux
  OsArch: linux/amd64
  Version: 5.5.0

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

$ wsl --version
WSL version: 2.5.9.0
Kernel version: 6.6.87.2-1
WSLg version: 1.0.66
MSRDC version: 1.2.6074
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.26100.1-240331-1435.ge-release
Windows version: 10.0.19045.5965

Additional information

Some issues other people have hit in the past with path translation:

• Default podman-machine-default on Windows missing default seccomp.json? #24318
• trouble using podman cp on windows #15508 (comment)

[Luap99]

These file path interfaces mean the path must exist on the remote system generally. We certainly could expand the path translation from --volume to do it with seccomp as well so I guess this make sense overall.