Browse code
apparmor: make pkg/aaparser work on read-only root
This is necessary because normally `apparmor_parser -r` will try to
create a temporary directory on the host (which is not allowed if the
host has a rootfs). However, the -K option bypasses saving things to the
cache (which avoids this issue).
% apparmor_parser -r /tmp/docker-profile
mkstemp: Read-only file system
% apparmor_parser -Kr /tmp/docker-profile
%
In addition, add extra information to the ensureDefaultAppArmorProfile
errors so that problems like this are easier to debug.
Fixes: 2f7596aaef3a ("apparmor: do not save profile to /etc/apparmor.d")
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Aleksa Sarai authored on 2017/05/17 23:02:00Showing 2 changed files
| ... | ... |
@@ -28,7 +28,7 @@ func ensureDefaultAppArmorProfile() error {
|
| 28 | 28 |
|
| 29 | 29 |
// Load the profile. |
| 30 | 30 |
if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil {
|
| 31 |
- return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", defaultApparmorProfile)
|
|
| 31 |
+ return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err)
|
|
| 32 | 32 |
} |
| 33 | 33 |
} |
| 34 | 34 |
|
| ... | ... |
@@ -22,10 +22,11 @@ func GetVersion() (int, error) {
|
| 22 | 22 |
return parseVersion(output) |
| 23 | 23 |
} |
| 24 | 24 |
|
| 25 |
-// LoadProfile runs `apparmor_parser -r` on a specified apparmor profile to |
|
| 26 |
-// replace the profile. |
|
| 25 |
+// LoadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to |
|
| 26 |
+// replace the profile. The `-K` is necessary to make sure that apparmor_parser |
|
| 27 |
+// doesn't try to write to a read-only filesystem. |
|
| 27 | 28 |
func LoadProfile(profilePath string) error {
|
| 28 |
- _, err := cmd("", "-r", profilePath)
|
|
| 29 |
+ _, err := cmd("", "-Kr", profilePath)
|
|
| 29 | 30 |
return err |
| 30 | 31 |
} |
| 31 | 32 |
|