GitList

Browse code

Check for apparmor enabled on host to populate profile Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)

Michael Crosby authored on 2014/04/09 19:22:17
Showing 3 changed files

pkg/libcontainer/apparmor/apparmor.go index a6d57d4..5de241d 100644
runtime/execdriver/native/create.go index 71fab3e..1254614 100644
runtime/execdriver/native/template/default_template.go index a1ecb04..d3c433a 100644

@@ -17,7 +17,7 @@ func IsEnabled() bool {
 }
 
 func ApplyProfile(pid int, name string) error {
-	if !IsEnabled() || name == "" {
+	if name == "" {
 		return nil
 	}
 

runtime/execdriver/native/create.go

History View file @ 87f0d63

@@ -6,6 +6,7 @@ import (
                      	"github.com/dotcloud/docker/pkg/label"
                      	"github.com/dotcloud/docker/pkg/libcontainer"
                     +	"github.com/dotcloud/docker/pkg/libcontainer/apparmor"
                      	"github.com/dotcloud/docker/runtime/execdriver"
                      	"github.com/dotcloud/docker/runtime/execdriver/native/configuration"
                      	"github.com/dotcloud/docker/runtime/execdriver/native/template"
@@ -80,7 +81,9 @@ func (d *driver) setPrivileged(container *libcontainer.Container) error {
                      		c.Enabled = true
+                     	}
                      	container.Cgroups.DeviceAccess = true
                     -	container.Context["apparmor_profile"] = "unconfined"
                     +	if apparmor.IsEnabled() {
                     +		container.Context["apparmor_profile"] = "unconfined"
                     +	}
                      	return nil
+                     }

runtime/execdriver/native/template/default_template.go

History View file @ 87f0d63

@@ -3,6 +3,7 @@ package template
                      import (
                      	"github.com/dotcloud/docker/pkg/cgroups"
                      	"github.com/dotcloud/docker/pkg/libcontainer"
                     +	"github.com/dotcloud/docker/pkg/libcontainer/apparmor"
+                     )
                      // New returns the docker default configuration for libcontainer
@@ -36,10 +37,11 @@ func New() *libcontainer.Container {
                      			Parent:       "docker",
                      			DeviceAccess: false,
                      		},
                     -		Context: libcontainer.Context{
                     -			"apparmor_profile": "docker-default",
                     -		},
                     +		Context: libcontainer.Context{},
+                     	}
                      	container.CapabilitiesMask.Get("MKNOD").Enabled = true
                     +	if apparmor.IsEnabled() {
                     +		container.Context["apparmor_profile"] = "docker-default"
                     +	}
                      	return container
+                     }

...	...	@@ -17,7 +17,7 @@ func IsEnabled() bool {
17	17	}
18	18
19	19	func ApplyProfile(pid int, name string) error {
20		- if !IsEnabled() \|\| name == "" {
	20	+ if name == "" {
21	21	return nil
22	22	}
23	23