Browse code
Merge pull request #36466 from thaJeztah/fix-exec-apparmor
Fix AppArmor not being applied to Exec processes
Tõnis Tiigi authored on 2018/03/20 07:12:41Showing 2 changed files
| ... | ... |
@@ -34,6 +34,8 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config |
| 34 | 34 |
if c.AppArmorProfile != "" {
|
| 35 | 35 |
appArmorProfile = c.AppArmorProfile |
| 36 | 36 |
} else if c.HostConfig.Privileged {
|
| 37 |
+ // `docker exec --privileged` does not currently disable AppArmor |
|
| 38 |
+ // profiles. Privileged configuration of the container is inherited |
|
| 37 | 39 |
appArmorProfile = "unconfined" |
| 38 | 40 |
} else {
|
| 39 | 41 |
appArmorProfile = "docker-default" |
| ... | ... |
@@ -50,6 +52,7 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config |
| 50 | 50 |
return err |
| 51 | 51 |
} |
| 52 | 52 |
} |
| 53 |
+ p.ApparmorProfile = appArmorProfile |
|
| 53 | 54 |
} |
| 54 | 55 |
daemon.setRlimits(&specs.Spec{Process: p}, c)
|
| 55 | 56 |
return nil |
| 56 | 57 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,53 @@ |
| 0 |
+// +build linux |
|
| 1 |
+ |
|
| 2 |
+package daemon |
|
| 3 |
+ |
|
| 4 |
+import ( |
|
| 5 |
+ "testing" |
|
| 6 |
+ |
|
| 7 |
+ containertypes "github.com/docker/docker/api/types/container" |
|
| 8 |
+ "github.com/docker/docker/container" |
|
| 9 |
+ "github.com/docker/docker/daemon/exec" |
|
| 10 |
+ "github.com/gotestyourself/gotestyourself/assert" |
|
| 11 |
+ "github.com/opencontainers/runc/libcontainer/apparmor" |
|
| 12 |
+ "github.com/opencontainers/runtime-spec/specs-go" |
|
| 13 |
+) |
|
| 14 |
+ |
|
| 15 |
+func TestExecSetPlatformOpt(t *testing.T) {
|
|
| 16 |
+ if !apparmor.IsEnabled() {
|
|
| 17 |
+ t.Skip("requires AppArmor to be enabled")
|
|
| 18 |
+ } |
|
| 19 |
+ d := &Daemon{}
|
|
| 20 |
+ c := &container.Container{AppArmorProfile: "my-custom-profile"}
|
|
| 21 |
+ ec := &exec.Config{}
|
|
| 22 |
+ p := &specs.Process{}
|
|
| 23 |
+ |
|
| 24 |
+ err := d.execSetPlatformOpt(c, ec, p) |
|
| 25 |
+ assert.NilError(t, err) |
|
| 26 |
+ assert.Equal(t, "my-custom-profile", p.ApparmorProfile) |
|
| 27 |
+} |
|
| 28 |
+ |
|
| 29 |
+// TestExecSetPlatformOptPrivileged verifies that `docker exec --privileged` |
|
| 30 |
+// does not disable AppArmor profiles. Exec currently inherits the `Privileged` |
|
| 31 |
+// configuration of the container. See https://github.com/moby/moby/pull/31773#discussion_r105586900 |
|
| 32 |
+// |
|
| 33 |
+// This behavior may change in future, but test for the behavior to prevent it |
|
| 34 |
+// from being changed accidentally. |
|
| 35 |
+func TestExecSetPlatformOptPrivileged(t *testing.T) {
|
|
| 36 |
+ if !apparmor.IsEnabled() {
|
|
| 37 |
+ t.Skip("requires AppArmor to be enabled")
|
|
| 38 |
+ } |
|
| 39 |
+ d := &Daemon{}
|
|
| 40 |
+ c := &container.Container{AppArmorProfile: "my-custom-profile"}
|
|
| 41 |
+ ec := &exec.Config{Privileged: true}
|
|
| 42 |
+ p := &specs.Process{}
|
|
| 43 |
+ |
|
| 44 |
+ err := d.execSetPlatformOpt(c, ec, p) |
|
| 45 |
+ assert.NilError(t, err) |
|
| 46 |
+ assert.Equal(t, "my-custom-profile", p.ApparmorProfile) |
|
| 47 |
+ |
|
| 48 |
+ c.HostConfig = &containertypes.HostConfig{Privileged: true}
|
|
| 49 |
+ err = d.execSetPlatformOpt(c, ec, p) |
|
| 50 |
+ assert.NilError(t, err) |
|
| 51 |
+ assert.Equal(t, "unconfined", p.ApparmorProfile) |
|
| 52 |
+} |