1. docker
  2. Commit 4f828d67f00449182eaada50dfba37e00f8f01ef
Browse code

Backup current docker apparmor profile and replace it with the new one

Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)

Guillaume J. Charmes authored on 2014/04/09 02:10:51
Showing 2 changed files
pkg/libcontainer/apparmor/setup.go
History View file @ 4f828d6
... ... 
@@ -2,13 +2,17 @@ package apparmor
2 2
3 3 
 import (
4 4 
 	"fmt"
5 
+	"io"
5 6 
 	"io/ioutil"
6 7 
 	"os"
7 8 
 	"os/exec"
8 9 
 	"path"
9 10 
 )
10 11
11 
-const DefaultProfilePath = "/etc/apparmor.d/docker"
12 
+const (
13 
+	DefaultProfilePath = "/etc/apparmor.d/docker"
14 
+)
15 
+
12 16 
 const DefaultProfile = `
13 17 
 # AppArmor profile from lxc for containers.
14 18
... ... 
@@ -73,14 +77,38 @@ profile docker-default flags=(attach_disconnected,mediate_deleted) {
73 73 
 }
74 74 
 `
75 75
76 
-func InstallDefaultProfile() error {
76 
+func InstallDefaultProfile(backupPath string) error {
77 77 
 	if !IsEnabled() {
78 78 
 		return nil
79 79 
 	}
80 80
81 
-	// If the profile already exists, let it be.
81 
+	// If the profile already exists, check if we already have a backup
82 
+	// if not, do the backup and override it. (docker 0.10 upgrade changed the apparmor profile)
83 
+	// see gh#5049, apparmor blocks signals in ubuntu 14.04
82 84 
 	if _, err := os.Stat(DefaultProfilePath); err == nil {
83 
-		return nil
85 
+		if _, err := os.Stat(backupPath); err == nil {
86 
+			// If both the profile and the backup are present, do nothing
87 
+			return nil
88 
+		}
89 
+		// Make sure the directory exists
90 
+		if err := os.MkdirAll(path.Dir(backupPath), 0755); err != nil {
91 
+			return err
92 
+		}
93 
+
94 
+		// Create the backup file
95 
+		f, err := os.Create(backupPath)
96 
+		if err != nil {
97 
+			return err
98 
+		}
99 
+		defer f.Close()
100 
+		src, err := os.Open(DefaultProfilePath)
101 
+		if err != nil {
102 
+			return err
103 
+		}
104 
+		defer src.Close()
105 
+		if _, err := io.Copy(f, src); err != nil {
106 
+			return err
107 
+		}
84 108 
 	}
85 109
86 110 
 	// Make sure /etc/apparmor.d exists
runtime/execdriver/native/driver.go
History View file @ 4f828d6
... ... 
@@ -21,8 +21,9 @@ import (
21 21 
 )
22 22
23 23 
 const (
24 
-	DriverName = "native"
25 
-	Version    = "0.1"
24 
+	DriverName                = "native"
25 
+	Version                   = "0.1"
26 
+	BackupApparmorProfilePath = "apparmor/docker.back" // relative to docker root
26 27 
 )
27 28
28 29 
 func init() {
... ... 
@@ -66,7 +67,8 @@ func NewDriver(root, initPath string) (*driver, error) {
66 66 
 	if err := os.MkdirAll(root, 0700); err != nil {
67 67 
 		return nil, err
68 68 
 	}
69 
-	if err := apparmor.InstallDefaultProfile(); err != nil {
69 
+	// native driver root is at docker_root/execdriver/native. Put apparmor at docker_root
70 
+	if err := apparmor.InstallDefaultProfile(filepath.Join(root, "../..", BackupApparmorProfilePath)); err != nil {
70 71 
 		return nil, err
71 72 
 	}
72 73 
 	return &driver{