Browse code
daemon: use constants for AppArmor profiles
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn authored on 2019/10/13 07:04:44Showing 5 changed files
- daemon/apparmor_default.go
- daemon/container_linux.go
- daemon/exec_linux.go
- daemon/exec_linux_test.go
- daemon/oci_linux.go
| ... | ... |
@@ -11,7 +11,8 @@ import ( |
| 11 | 11 |
|
| 12 | 12 |
// Define constants for native driver |
| 13 | 13 |
const ( |
| 14 |
- defaultApparmorProfile = "docker-default" |
|
| 14 |
+ unconfinedAppArmorProfile = "unconfined" |
|
| 15 |
+ defaultApparmorProfile = "docker-default" |
|
| 15 | 16 |
) |
| 16 | 17 |
|
| 17 | 18 |
func ensureDefaultAppArmorProfile() error {
|
| ... | ... |
@@ -38,12 +38,12 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config |
| 38 | 38 |
} else if c.HostConfig.Privileged {
|
| 39 | 39 |
// `docker exec --privileged` does not currently disable AppArmor |
| 40 | 40 |
// profiles. Privileged configuration of the container is inherited |
| 41 |
- appArmorProfile = "unconfined" |
|
| 41 |
+ appArmorProfile = unconfinedAppArmorProfile |
|
| 42 | 42 |
} else {
|
| 43 |
- appArmorProfile = "docker-default" |
|
| 43 |
+ appArmorProfile = defaultApparmorProfile |
|
| 44 | 44 |
} |
| 45 | 45 |
|
| 46 |
- if appArmorProfile == "docker-default" {
|
|
| 46 |
+ if appArmorProfile == defaultApparmorProfile {
|
|
| 47 | 47 |
// Unattended upgrades and other fun services can unload AppArmor |
| 48 | 48 |
// profiles inadvertently. Since we cannot store our profile in |
| 49 | 49 |
// /etc/apparmor.d, nor can we practically add other ways of |
| ... | ... |
@@ -49,5 +49,5 @@ func TestExecSetPlatformOptPrivileged(t *testing.T) {
|
| 49 | 49 |
c.HostConfig = &containertypes.HostConfig{Privileged: true}
|
| 50 | 50 |
err = d.execSetPlatformOpt(c, ec, p) |
| 51 | 51 |
assert.NilError(t, err) |
| 52 |
- assert.Equal(t, "unconfined", p.ApparmorProfile) |
|
| 52 |
+ assert.Equal(t, unconfinedAppArmorProfile, p.ApparmorProfile) |
|
| 53 | 53 |
} |
| ... | ... |
@@ -111,12 +111,12 @@ func WithApparmor(c *container.Container) coci.SpecOpts {
|
| 111 | 111 |
if c.AppArmorProfile != "" {
|
| 112 | 112 |
appArmorProfile = c.AppArmorProfile |
| 113 | 113 |
} else if c.HostConfig.Privileged {
|
| 114 |
- appArmorProfile = "unconfined" |
|
| 114 |
+ appArmorProfile = unconfinedAppArmorProfile |
|
| 115 | 115 |
} else {
|
| 116 |
- appArmorProfile = "docker-default" |
|
| 116 |
+ appArmorProfile = defaultApparmorProfile |
|
| 117 | 117 |
} |
| 118 | 118 |
|
| 119 |
- if appArmorProfile == "docker-default" {
|
|
| 119 |
+ if appArmorProfile == defaultApparmorProfile {
|
|
| 120 | 120 |
// Unattended upgrades and other fun services can unload AppArmor |
| 121 | 121 |
// profiles inadvertently. Since we cannot store our profile in |
| 122 | 122 |
// /etc/apparmor.d, nor can we practically add other ways of |