Browse code
buildkit: Apply apparmor profile
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Brian Goff authored on 2020/10/10 02:20:48Showing 7 changed files
- builder/builder-next/builder.go
- builder/builder-next/controller.go
- builder/builder-next/executor_unix.go
- builder/builder-next/executor_windows.go
- cmd/dockerd/daemon.go
- daemon/apparmor_default.go
- daemon/apparmor_default_unsupported.go
| ... | ... |
@@ -132,7 +132,7 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {
|
| 132 | 132 |
|
| 133 | 133 |
dns := getDNSConfig(opt.DNSConfig) |
| 134 | 134 |
|
| 135 |
- exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, dns, opt.Rootless, opt.IdentityMapping) |
|
| 135 |
+ exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, dns, opt.Rootless, opt.IdentityMapping, opt.ApparmorProfile) |
|
| 136 | 136 |
if err != nil {
|
| 137 | 137 |
return nil, err |
| 138 | 138 |
} |
| ... | ... |
@@ -24,7 +24,7 @@ import ( |
| 24 | 24 |
|
| 25 | 25 |
const networkName = "bridge" |
| 26 | 26 |
|
| 27 |
-func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dnsConfig *oci.DNSConfig, rootless bool, idmap *idtools.IdentityMapping) (executor.Executor, error) {
|
|
| 27 |
+func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dnsConfig *oci.DNSConfig, rootless bool, idmap *idtools.IdentityMapping, apparmorProfile string) (executor.Executor, error) {
|
|
| 28 | 28 |
networkProviders := map[pb.NetMode]network.Provider{
|
| 29 | 29 |
pb.NetMode_UNSET: &bridgeProvider{NetworkController: net, Root: filepath.Join(root, "net")},
|
| 30 | 30 |
pb.NetMode_HOST: network.NewHostProvider(), |
| ... | ... |
@@ -38,6 +38,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dn |
| 38 | 38 |
NoPivot: os.Getenv("DOCKER_RAMDISK") != "",
|
| 39 | 39 |
IdentityMapping: idmap, |
| 40 | 40 |
DNS: dnsConfig, |
| 41 |
+ ApparmorProfile: apparmorProfile, |
|
| 41 | 42 |
}, networkProviders) |
| 42 | 43 |
} |
| 43 | 44 |
|
| ... | ... |
@@ -11,7 +11,7 @@ import ( |
| 11 | 11 |
"github.com/moby/buildkit/executor/oci" |
| 12 | 12 |
) |
| 13 | 13 |
|
| 14 |
-func newExecutor(_, _ string, _ libnetwork.NetworkController, _ *oci.DNSConfig, _ bool, _ *idtools.IdentityMapping) (executor.Executor, error) {
|
|
| 14 |
+func newExecutor(_, _ string, _ libnetwork.NetworkController, _ *oci.DNSConfig, _ bool, _ *idtools.IdentityMapping, _ string) (executor.Executor, error) {
|
|
| 15 | 15 |
return &winExecutor{}, nil
|
| 16 | 16 |
} |
| 17 | 17 |
|
| ... | ... |
@@ -297,6 +297,7 @@ func newRouterOptions(config *config.Config, d *daemon.Daemon) (routerOptions, e |
| 297 | 297 |
Rootless: d.Rootless(), |
| 298 | 298 |
IdentityMapping: d.IdentityMapping(), |
| 299 | 299 |
DNSConfig: config.DNSConfig, |
| 300 |
+ ApparmorProfile: daemon.DefaultApparmorProfile(), |
|
| 300 | 301 |
}) |
| 301 | 302 |
if err != nil {
|
| 302 | 303 |
return opts, err |
| ... | ... |
@@ -15,6 +15,14 @@ const ( |
| 15 | 15 |
defaultAppArmorProfile = "docker-default" |
| 16 | 16 |
) |
| 17 | 17 |
|
| 18 |
+// DefaultApparmorProfile returns the name of the default apparmor profile |
|
| 19 |
+func DefaultApparmorProfile() string {
|
|
| 20 |
+ if apparmor.IsEnabled() {
|
|
| 21 |
+ return defaultAppArmorProfile |
|
| 22 |
+ } |
|
| 23 |
+ return "" |
|
| 24 |
+} |
|
| 25 |
+ |
|
| 18 | 26 |
func ensureDefaultAppArmorProfile() error {
|
| 19 | 27 |
if apparmor.IsEnabled() {
|
| 20 | 28 |
loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile) |