Browse code
Merge pull request #31773 from cyphar/apparmor-fix-ensure-exec
daemon: also ensureDefaultApparmorProfile in exec path
Vincent Demeester authored on 2017/03/14 00:15:49Showing 1 changed files
| ... | ... |
@@ -5,6 +5,7 @@ import ( |
| 5 | 5 |
"github.com/docker/docker/daemon/caps" |
| 6 | 6 |
"github.com/docker/docker/daemon/exec" |
| 7 | 7 |
"github.com/docker/docker/libcontainerd" |
| 8 |
+ "github.com/opencontainers/runc/libcontainer/apparmor" |
|
| 8 | 9 |
"github.com/opencontainers/runtime-spec/specs-go" |
| 9 | 10 |
) |
| 10 | 11 |
|
| ... | ... |
@@ -23,5 +24,27 @@ func execSetPlatformOpt(c *container.Container, ec *exec.Config, p *libcontainer |
| 23 | 23 |
if ec.Privileged {
|
| 24 | 24 |
p.Capabilities = caps.GetAllCapabilities() |
| 25 | 25 |
} |
| 26 |
+ if apparmor.IsEnabled() {
|
|
| 27 |
+ var appArmorProfile string |
|
| 28 |
+ if c.AppArmorProfile != "" {
|
|
| 29 |
+ appArmorProfile = c.AppArmorProfile |
|
| 30 |
+ } else if c.HostConfig.Privileged {
|
|
| 31 |
+ appArmorProfile = "unconfined" |
|
| 32 |
+ } else {
|
|
| 33 |
+ appArmorProfile = "docker-default" |
|
| 34 |
+ } |
|
| 35 |
+ |
|
| 36 |
+ if appArmorProfile == "docker-default" {
|
|
| 37 |
+ // Unattended upgrades and other fun services can unload AppArmor |
|
| 38 |
+ // profiles inadvertently. Since we cannot store our profile in |
|
| 39 |
+ // /etc/apparmor.d, nor can we practically add other ways of |
|
| 40 |
+ // telling the system to keep our profile loaded, in order to make |
|
| 41 |
+ // sure that we keep the default profile enabled we dynamically |
|
| 42 |
+ // reload it if necessary. |
|
| 43 |
+ if err := ensureDefaultAppArmorProfile(); err != nil {
|
|
| 44 |
+ return err |
|
| 45 |
+ } |
|
| 46 |
+ } |
|
| 47 |
+ } |
|
| 26 | 48 |
return nil |
| 27 | 49 |
} |