5 år sedan · a33cf495f2
--- a/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go
@@ -11,7 +11,8 @@ import (
 
				 
			
 
				 // Define constants for native driver
			
 
				 const (
			
 
				-	defaultApparmorProfile = "docker-default"
			
 
				+	unconfinedAppArmorProfile = "unconfined"
			
 
				+	defaultApparmorProfile    = "docker-default"
			
 
				 )
			
 
				 
			
 
				 func ensureDefaultAppArmorProfile() error {
			
--- a/daemon/container_linux.go
+++ b/daemon/container_linux.go
@@ -24,7 +24,7 @@ func (daemon *Daemon) saveApparmorConfig(container *container.Container) error {
 
				 		}
			
 
				 
			
 
				 	} else {
			
 
				-		container.AppArmorProfile = "unconfined"
			
 
				+		container.AppArmorProfile = unconfinedAppArmorProfile
			
 
				 	}
			
 
				 	return nil
			
 
				 }
			
--- a/daemon/exec_linux.go
+++ b/daemon/exec_linux.go
@@ -38,12 +38,12 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
 
				 		} else if c.HostConfig.Privileged {
			
 
				 			// `docker exec --privileged` does not currently disable AppArmor
			
 
				 			// profiles. Privileged configuration of the container is inherited
			
 
				-			appArmorProfile = "unconfined"
			
 
				+			appArmorProfile = unconfinedAppArmorProfile
			
 
				 		} else {
			
 
				-			appArmorProfile = "docker-default"
			
 
				+			appArmorProfile = defaultApparmorProfile
			
 
				 		}
			
 
				 
			
 
				-		if appArmorProfile == "docker-default" {
			
 
				+		if appArmorProfile == defaultApparmorProfile {
			
 
				 			// Unattended upgrades and other fun services can unload AppArmor
			
 
				 			// profiles inadvertently. Since we cannot store our profile in
			
 
				 			// /etc/apparmor.d, nor can we practically add other ways of
			
--- a/daemon/exec_linux_test.go
+++ b/daemon/exec_linux_test.go
@@ -49,5 +49,5 @@ func TestExecSetPlatformOptPrivileged(t *testing.T) {
 
				 	c.HostConfig = &containertypes.HostConfig{Privileged: true}
			
 
				 	err = d.execSetPlatformOpt(c, ec, p)
			
 
				 	assert.NilError(t, err)
			
 
				-	assert.Equal(t, "unconfined", p.ApparmorProfile)
			
 
				+	assert.Equal(t, unconfinedAppArmorProfile, p.ApparmorProfile)
			
 
				 }
			
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -111,12 +111,12 @@ func WithApparmor(c *container.Container) coci.SpecOpts {
 
				 			if c.AppArmorProfile != "" {
			
 
				 				appArmorProfile = c.AppArmorProfile
			
 
				 			} else if c.HostConfig.Privileged {
			
 
				-				appArmorProfile = "unconfined"
			
 
				+				appArmorProfile = unconfinedAppArmorProfile
			
 
				 			} else {
			
 
				-				appArmorProfile = "docker-default"
			
 
				+				appArmorProfile = defaultApparmorProfile
			
 
				 			}
			
 
				 
			
 
				-			if appArmorProfile == "docker-default" {
			
 
				+			if appArmorProfile == defaultApparmorProfile {
			
 
				 				// Unattended upgrades and other fun services can unload AppArmor
			
 
				 				// profiles inadvertently. Since we cannot store our profile in
			
 
				 				// /etc/apparmor.d, nor can we practically add other ways of