Browse code
Added an apparmorEnabled boolean in the Daemon struct to indicate if AppArmor is enabled or not. It is set in NewDaemon using sysInfo information.
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
Added an apparmorEnabled boolean in the Daemon struct to indicate if AppArmor is enabled or not. It is set in NewDaemon using sysInfo information.
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
gofmt'd
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
change the function name to something more adequate and changed the behaviour to show empty value on an apparmor disabled system.
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
go fmt
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
ROBERTO MUÑOZ authored on 2016/12/19 21:22:45Showing 4 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,29 @@ |
| 0 |
+//+build !windows |
|
| 1 |
+ |
|
| 2 |
+package daemon |
|
| 3 |
+ |
|
| 4 |
+import ( |
|
| 5 |
+ "github.com/docker/docker/container" |
|
| 6 |
+) |
|
| 7 |
+ |
|
| 8 |
+func (daemon *Daemon) saveApparmorConfig(container *container.Container) error {
|
|
| 9 |
+ container.AppArmorProfile = "" //we don't care about the previous value. |
|
| 10 |
+ |
|
| 11 |
+ if !daemon.apparmorEnabled {
|
|
| 12 |
+ return nil // if apparmor is disabled there is nothing to do here. |
|
| 13 |
+ } |
|
| 14 |
+ |
|
| 15 |
+ if err := parseSecurityOpt(container, container.HostConfig); err != nil {
|
|
| 16 |
+ return err |
|
| 17 |
+ } |
|
| 18 |
+ |
|
| 19 |
+ if !container.HostConfig.Privileged {
|
|
| 20 |
+ if container.AppArmorProfile == "" {
|
|
| 21 |
+ container.AppArmorProfile = defaultApparmorProfile |
|
| 22 |
+ } |
|
| 23 |
+ |
|
| 24 |
+ } else {
|
|
| 25 |
+ container.AppArmorProfile = "unconfined" |
|
| 26 |
+ } |
|
| 27 |
+ return nil |
|
| 28 |
+} |
| ... | ... |
@@ -92,6 +92,7 @@ type Daemon struct {
|
| 92 | 92 |
discoveryWatcher discoveryReloader |
| 93 | 93 |
root string |
| 94 | 94 |
seccompEnabled bool |
| 95 |
+ apparmorEnabled bool |
|
| 95 | 96 |
shutdown bool |
| 96 | 97 |
uidMaps []idtools.IDMap |
| 97 | 98 |
gidMaps []idtools.IDMap |
| ... | ... |
@@ -683,6 +684,7 @@ func NewDaemon(config *Config, registryService registry.Service, containerdRemot |
| 683 | 683 |
d.uidMaps = uidMaps |
| 684 | 684 |
d.gidMaps = gidMaps |
| 685 | 685 |
d.seccompEnabled = sysInfo.Seccomp |
| 686 |
+ d.apparmorEnabled = sysInfo.AppArmor |
|
| 686 | 687 |
|
| 687 | 688 |
d.nameIndex = registrar.NewRegistrar() |
| 688 | 689 |
d.linkIndex = newLinkIndex() |
| ... | ... |
@@ -164,6 +164,10 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint |
| 164 | 164 |
checkpointDir = container.CheckpointDir() |
| 165 | 165 |
} |
| 166 | 166 |
|
| 167 |
+ if daemon.saveApparmorConfig(container); err != nil {
|
|
| 168 |
+ return err |
|
| 169 |
+ } |
|
| 170 |
+ |
|
| 167 | 171 |
if err := daemon.containerd.Create(container.ID, checkpoint, checkpointDir, *spec, container.InitializeStdio, createOptions...); err != nil {
|
| 168 | 172 |
errDesc := grpc.ErrorDesc(err) |
| 169 | 173 |
contains := func(s1, s2 string) bool {
|