11 năm trước cách đây · c9fdb08bda
--- a/daemon/execdriver/native/configuration/parse.go
+++ b/daemon/execdriver/native/configuration/parse.go
@@ -54,7 +54,7 @@ func systemdSlice(container *libcontainer.Config, context interface{}, value str
 
				 }
			
 
				 
			
 
				 func apparmorProfile(container *libcontainer.Config, context interface{}, value string) error {
			
 
				-	container.Context["apparmor_profile"] = value
			
 
				+	container.AppArmorProfile = value
			
 
				 	return nil
			
 
				 }
			
 
				 
			
--- a/daemon/execdriver/native/configuration/parse_test.go
+++ b/daemon/execdriver/native/configuration/parse_test.go
@@ -84,8 +84,9 @@ func TestAppArmorProfile(t *testing.T) {
 
				 	if err := ParseConfiguration(container, nil, opts); err != nil {
			
 
				 		t.Fatal(err)
			
 
				 	}
			
 
				-	if expected := "koye-the-protector"; container.Context["apparmor_profile"] != expected {
			
 
				-		t.Fatalf("expected profile %s got %s", expected, container.Context["apparmor_profile"])
			
 
				+
			
 
				+	if expected := "koye-the-protector"; container.AppArmorProfile != expected {
			
 
				+		t.Fatalf("expected profile %s got %s", expected, container.AppArmorProfile)
			
 
				 	}
			
 
				 }
			
 
				 
			
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@@ -32,7 +32,7 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Config, e
 
				 
			
 
				 	// check to see if we are running in ramdisk to disable pivot root
			
 
				 	container.MountConfig.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != ""
			
 
				-	container.Context["restrictions"] = "true"
			
 
				+	container.RestrictSys = true
			
 
				 
			
 
				 	if err := d.createNetwork(container, c); err != nil {
			
 
				 		return nil, err
			
@@ -127,10 +127,10 @@ func (d *driver) setPrivileged(container *libcontainer.Config) (err error) {
 
				 	}
			
 
				 	container.MountConfig.DeviceNodes = hostDeviceNodes
			
 
				 
			
 
				-	delete(container.Context, "restrictions")
			
 
				+	container.RestrictSys = false
			
 
				 
			
 
				 	if apparmor.IsEnabled() {
			
 
				-		container.Context["apparmor_profile"] = "unconfined"
			
 
				+		container.AppArmorProfile = "unconfined"
			
 
				 	}
			
 
				 
			
 
				 	return nil
			
@@ -163,8 +163,8 @@ func (d *driver) setupMounts(container *libcontainer.Config, c *execdriver.Comma
 
				 }
			
 
				 
			
 
				 func (d *driver) setupLabels(container *libcontainer.Config, c *execdriver.Command) error {
			
 
				-	container.Context["process_label"] = c.Config["process_label"][0]
			
 
				-	container.Context["mount_label"] = c.Config["mount_label"][0]
			
 
				+	container.ProcessLabel = c.Config["process_label"][0]
			
 
				+	container.MountConfig.MountLabel = c.Config["mount_label"][0]
			
 
				 
			
 
				 	return nil
			
 
				 }
			
--- a/daemon/execdriver/native/template/default_template.go
+++ b/daemon/execdriver/native/template/default_template.go
@@ -35,11 +35,10 @@ func New() *libcontainer.Config {
 
				 			AllowAllDevices: false,
			
 
				 		},
			
 
				 		MountConfig: &libcontainer.MountConfig{},
			
 
				-		Context:     make(map[string]string),
			
 
				 	}
			
 
				 
			
 
				 	if apparmor.IsEnabled() {
			
 
				-		container.Context["apparmor_profile"] = "docker-default"
			
 
				+		container.AppArmorProfile = "docker-default"
			
 
				 	}
			
 
				 
			
 
				 	return container