diff --git a/daemon/container.go b/daemon/container.go index 5ea2df2af5b5a8ea2707ff888805254ca6023da7..042f4f025b6d2b5aa4863b0760703cb0a60cdc47 100644 --- a/daemon/container.go +++ b/daemon/container.go @@ -77,6 +77,7 @@ type Container struct { daemon *Daemon MountLabel, ProcessLabel string + AppArmorProfile string RestartCount int // Maps container paths to volume paths. The key in this is the path to which @@ -275,6 +276,7 @@ func populateCommand(c *Container, env []string) error { ProcessLabel: c.GetProcessLabel(), MountLabel: c.GetMountLabel(), LxcConfig: lxcConfig, + AppArmorProfile: c.AppArmorProfile, } return nil diff --git a/daemon/daemon.go b/daemon/daemon.go index 267763fd06d4f3d41c9576cd2580139833b50705..b47498b2e1142dafaf3a787273480cb089c0328d 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -561,8 +561,16 @@ func (daemon *Daemon) newContainer(name string, config *runconfig.Config, img *i for _, opt := range config.SecurityOpt { con := strings.SplitN(opt, ":", 2) - if con[0] == "label" { + if len(con) == 1 { + return nil, fmt.Errorf("Invalid --security-opt: %q", opt) + } + switch con[0] { + case "label": label_opts = append(label_opts, con[1]) + case "apparmor": + container.AppArmorProfile = con[1] + default: + return nil, fmt.Errorf("Invalid --security-opt: %q", opt) } } diff --git a/daemon/execdriver/driver.go b/daemon/execdriver/driver.go index 6a7e79eca6bae52beaa99e51cc2ab62bc7e74b0c..0be2d50dc473719f0bb44b6a001e218bc0c65d65 100644 --- a/daemon/execdriver/driver.go +++ b/daemon/execdriver/driver.go @@ -116,4 +116,5 @@ type Command struct { ProcessLabel string `json:"process_label"` MountLabel string `json:"mount_label"` LxcConfig []string `json:"lxc_config"` + AppArmorProfile string `json:"apparmor_profile"` } diff --git a/daemon/execdriver/lxc/driver.go b/daemon/execdriver/lxc/driver.go index abb74bf5791a1130981888bbfa0c4781f87ebf80..0809b05c1eaa2ac4588993f30c3cacd3df91775b 100644 --- a/daemon/execdriver/lxc/driver.go +++ b/daemon/execdriver/lxc/driver.go @@ -409,10 +409,7 @@ func rootIsShared() bool { } func (d *driver) generateLXCConfig(c *execdriver.Command) (string, error) { - var ( - root = path.Join(d.root, "containers", c.ID, "config.lxc") - label_opts []string - ) + root := path.Join(d.root, "containers", c.ID, "config.lxc") fo, err := os.Create(root) if err != nil { diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go index c3abb9a75b128fb13ec591062ab05822d91a0c04..4f325353e9f0dc3d325c6f405d629da4d36051f1 100644 --- a/daemon/execdriver/native/create.go +++ b/daemon/execdriver/native/create.go @@ -49,6 +49,10 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Config, e } } + if c.AppArmorProfile != "" { + container.AppArmorProfile = c.AppArmorProfile + } + if err := d.setupCgroups(container, c); err != nil { return nil, err }