add apparmor:

Signed-off-by: Victor Vieux <vieux@docker.com>
2014-09-29 23:34:45 +00:00 · 2014-09-29 23:34:45 +00:00 · c2c5e57a8e
commit c2c5e57a8e
parent 87e732a0f3
5 changed files with 17 additions and 5 deletions
--- a/daemon/container.go
+++ b/daemon/container.go
@ -77,6 +77,7 @@ type Container struct {

 	daemon                   *Daemon
 	MountLabel, ProcessLabel string
+	AppArmorProfile          string
 	RestartCount             int

 	// Maps container paths to volume paths.  The key in this is the path to which
@ -275,6 +276,7 @@ func populateCommand(c *Container, env []string) error {
 		ProcessLabel:       c.GetProcessLabel(),
 		MountLabel:         c.GetMountLabel(),
 		LxcConfig:          lxcConfig,
+		AppArmorProfile:    c.AppArmorProfile,
 	}

 	return nil
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@ -561,8 +561,16 @@ func (daemon *Daemon) newContainer(name string, config *runconfig.Config, img *i

 	for _, opt := range config.SecurityOpt {
 		con := strings.SplitN(opt, ":", 2)
-		if con[0] == "label" {
+		if len(con) == 1 {
+			return nil, fmt.Errorf("Invalid --security-opt: %q", opt)
+		}
+		switch con[0] {
+		case "label":
 			label_opts = append(label_opts, con[1])
+		case "apparmor":
+			container.AppArmorProfile = con[1]
+		default:
+			return nil, fmt.Errorf("Invalid --security-opt: %q", opt)
 		}
 	}

--- a/daemon/execdriver/driver.go
+++ b/daemon/execdriver/driver.go
@ -116,4 +116,5 @@ type Command struct {
 	ProcessLabel       string            `json:"process_label"`
 	MountLabel         string            `json:"mount_label"`
 	LxcConfig          []string          `json:"lxc_config"`
+	AppArmorProfile    string            `json:"apparmor_profile"`
 }
--- a/daemon/execdriver/lxc/driver.go
+++ b/daemon/execdriver/lxc/driver.go
@ -409,10 +409,7 @@ func rootIsShared() bool {
 }

 func (d *driver) generateLXCConfig(c *execdriver.Command) (string, error) {
-	var (
-		root       = path.Join(d.root, "containers", c.ID, "config.lxc")
-		label_opts []string
-	)
+	root := path.Join(d.root, "containers", c.ID, "config.lxc")

 	fo, err := os.Create(root)
 	if err != nil {
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@ -49,6 +49,10 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Config, e
 		}
 	}

+	if c.AppArmorProfile != "" {
+		container.AppArmorProfile = c.AppArmorProfile
+	}
+
 	if err := d.setupCgroups(container, c); err != nil {
 		return nil, err
 	}