Merge pull request #4506 from creack/fix_apparmor

Use CGO for apparmor profile switch
2014-03-06 13:37:34 -08:00 · 2014-03-06 13:37:34 -08:00 · b722aa21b7
commit b722aa21b7
parent 83ffc2860b 2128eb52ed
8 changed files with 40 additions and 16 deletions
--- a/1
+++ b/1
@ -87,6 +87,7 @@ RUN	git config --global user.email 'docker-dummy@example.com'

 VOLUME	/var/lib/docker
 WORKDIR	/go/src/github.com/dotcloud/docker
+ENV	DOCKER_BUILDTAGS	apparmor

 # Wrap all commands in the "docker-in-docker" script to allow nested containers
 ENTRYPOINT	["hack/dind"]
--- a/hack/PACKAGERS.md
+++ b/hack/PACKAGERS.md
@ -148,6 +148,15 @@ This will cause the build scripts to set up a reasonable `GOPATH` that
 automatically and properly includes both dotcloud/docker from the local
 directory, and the local "./vendor" directory as necessary.

+### `DOCKER_BUILDTAGS`
+
+If you're building a binary that may need to be used on platforms that include
+AppArmor, you will need to set `DOCKER_BUILDTAGS` as follows:
+
+```bash
+export DOCKER_BUILDTAGS='apparmor'
+```
+
 ### Static Daemon

 If it is feasible within the constraints of your distribution, you should
--- a/hack/make.sh
+++ b/hack/make.sh
@ -84,7 +84,7 @@ fi
 # Use these flags when compiling the tests and final binary
 LDFLAGS='-X github.com/dotcloud/docker/dockerversion.GITCOMMIT "'$GITCOMMIT'" -X github.com/dotcloud/docker/dockerversion.VERSION "'$VERSION'" -w'
 LDFLAGS_STATIC='-X github.com/dotcloud/docker/dockerversion.IAMSTATIC true -linkmode external -extldflags "-lpthread -static -Wl,--unresolved-symbols=ignore-in-object-files"'
-BUILDFLAGS='-tags netgo -a'
+BUILDFLAGS=( -a -tags "netgo $DOCKER_BUILDTAGS" )

 HAVE_GO_TEST_COVER=
 if \
@ -113,7 +113,7 @@ go_test_dir() {
 	(
 		set -x
 		cd "$dir"
-		go test ${testcover[@]} -ldflags "$LDFLAGS" $BUILDFLAGS $TESTFLAGS
+		go test ${testcover[@]} -ldflags "$LDFLAGS" "${BUILDFLAGS[@]}" $TESTFLAGS
 	)
 }

--- a/hack/make/binary
+++ b/hack/make/binary
@ -2,5 +2,5 @@

 DEST=$1

-go build -o $DEST/docker-$VERSION -ldflags "$LDFLAGS $LDFLAGS_STATIC" $BUILDFLAGS ./docker
+go build -o $DEST/docker-$VERSION -ldflags "$LDFLAGS $LDFLAGS_STATIC" "${BUILDFLAGS[@]}" ./docker
 echo "Created binary: $DEST/docker-$VERSION"
--- a/hack/make/dynbinary
+++ b/hack/make/dynbinary
@ -3,7 +3,7 @@
 DEST=$1

 # dockerinit still needs to be a static binary, even if docker is dynamic
-CGO_ENABLED=0 go build -o $DEST/dockerinit-$VERSION -ldflags "$LDFLAGS -d" $BUILDFLAGS ./dockerinit
+CGO_ENABLED=0 go build -o $DEST/dockerinit-$VERSION -ldflags "$LDFLAGS -d" "${BUILDFLAGS[@]}" ./dockerinit
 echo "Created binary: $DEST/dockerinit-$VERSION"
 ln -sf dockerinit-$VERSION $DEST/dockerinit

--- a/pkg/libcontainer/apparmor/apparmor.go
+++ b/pkg/libcontainer/apparmor/apparmor.go
@ -1,9 +1,14 @@
+// +build apparmor,linux,amd64
+
 package apparmor

+// #cgo LDFLAGS: -lapparmor
+// #include <sys/apparmor.h>
+// #include <stdlib.h>
+import "C"
 import (
-	"fmt"
 	"io/ioutil"
-	"os"
+	"unsafe"
 )

 func IsEnabled() bool {
@ -16,13 +21,10 @@ func ApplyProfile(pid int, name string) error {
 		return nil
 	}

-	f, err := os.OpenFile(fmt.Sprintf("/proc/%d/attr/current", pid), os.O_WRONLY, 0)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
+	cName := C.CString(name)
+	defer C.free(unsafe.Pointer(cName))

-	if _, err := fmt.Fprintf(f, "changeprofile %s", name); err != nil {
+	if _, err := C.aa_change_onexec(cName); err != nil {
 		return err
 	}
 	return nil
--- a/pkg/libcontainer/apparmor/apparmor_disabled.go
+++ b/pkg/libcontainer/apparmor/apparmor_disabled.go
@ -0,0 +1,13 @@
+// +build !apparmor !linux !amd64
+
+package apparmor
+
+import ()
+
+func IsEnabled() bool {
+	return false
+}
+
+func ApplyProfile(pid int, name string) error {
+	return nil
+}
--- a/pkg/libcontainer/nsinit/init.go
+++ b/pkg/libcontainer/nsinit/init.go
@ -59,10 +59,6 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
 		return fmt.Errorf("setup mount namespace %s", err)
 	}

-	if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
-		return err
-	}
-
 	if err := setupNetwork(container, context); err != nil {
 		return fmt.Errorf("setup networking %s", err)
 	}
@ -73,6 +69,9 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
 		return fmt.Errorf("finalize namespace %s", err)
 	}

+	if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
+		return err
+	}
 	return system.Execv(args[0], args[0:], container.Env)
 }