Signed-off-by: Jessica Frazelle <acidburn@docker.com>
(cherry picked from commit e542238f2a4ba9d77bf8ebc77e319dd6b321925f)
... | ... |
@@ -59,21 +59,6 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { |
59 | 59 |
deny /sys/firmware/efi/efivars/** rwklx, |
60 | 60 |
deny /sys/kernel/security/** rwklx, |
61 | 61 |
} |
62 |
- |
|
63 |
-profile docker-unconfined flags=(attach_disconnected,mediate_deleted,complain) { |
|
64 |
- #include <abstractions/base> |
|
65 |
- |
|
66 |
- network, |
|
67 |
- capability, |
|
68 |
- file, |
|
69 |
- umount, |
|
70 |
- mount, |
|
71 |
- pivot_root, |
|
72 |
- change_profile -> *, |
|
73 |
- |
|
74 |
- ptrace, |
|
75 |
- signal, |
|
76 |
-} |
|
77 | 62 |
` |
78 | 63 |
|
79 | 64 |
func generateProfile(out io.Writer) error { |
... | ... |
@@ -54,11 +54,11 @@ func NewDriver(root, initPath string, options []string) (*driver, error) { |
54 | 54 |
|
55 | 55 |
if apparmor.IsEnabled() { |
56 | 56 |
if err := installAppArmorProfile(); err != nil { |
57 |
- apparmor_profiles := []string{"docker-default", "docker-unconfined"} |
|
57 |
+ apparmorProfiles := []string{"docker-default"} |
|
58 | 58 |
|
59 | 59 |
// Allow daemon to run if loading failed, but are active |
60 | 60 |
// (possibly through another run, manually, or via system startup) |
61 |
- for _, policy := range apparmor_profiles { |
|
61 |
+ for _, policy := range apparmorProfiles { |
|
62 | 62 |
if err := hasAppArmorProfileLoaded(policy); err != nil { |
63 | 63 |
return nil, fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", policy) |
64 | 64 |
} |
... | ... |
@@ -20,10 +20,6 @@ The `docker-default` profile the default for running |
20 | 20 |
containers. It is moderately protective while |
21 | 21 |
providing wide application compatability. |
22 | 22 |
|
23 |
-The `docker-unconfined` profile is intended for |
|
24 |
-privileged applications and is the default when runing |
|
25 |
-a container with the *--privileged* flag. |
|
26 |
- |
|
27 | 23 |
The system's standard `unconfined` profile inherits all |
28 | 24 |
system-wide policies, applying path-based policies |
29 | 25 |
intended for the host system inside of containers. |