|
@@ -5,6 +5,7 @@ import (
|
|
|
"github.com/docker/docker/daemon/caps"
|
|
"github.com/docker/docker/daemon/caps"
|
|
|
"github.com/docker/docker/daemon/exec"
|
|
"github.com/docker/docker/daemon/exec"
|
|
|
"github.com/docker/docker/libcontainerd"
|
|
"github.com/docker/docker/libcontainerd"
|
|
|
|
|
+ "github.com/opencontainers/runc/libcontainer/apparmor"
|
|
|
"github.com/opencontainers/runtime-spec/specs-go"
|
|
"github.com/opencontainers/runtime-spec/specs-go"
|
|
|
)
|
|
)
|
|
|
|
|
|
|
@@ -23,5 +24,27 @@ func execSetPlatformOpt(c *container.Container, ec *exec.Config, p *libcontainer
|
|
|
if ec.Privileged {
|
|
if ec.Privileged {
|
|
|
p.Capabilities = caps.GetAllCapabilities()
|
|
p.Capabilities = caps.GetAllCapabilities()
|
|
|
}
|
|
}
|
|
|
|
|
+ if apparmor.IsEnabled() {
|
|
|
|
|
+ var appArmorProfile string
|
|
|
|
|
+ if c.AppArmorProfile != "" {
|
|
|
|
|
+ appArmorProfile = c.AppArmorProfile
|
|
|
|
|
+ } else if c.HostConfig.Privileged {
|
|
|
|
|
+ appArmorProfile = "unconfined"
|
|
|
|
|
+ } else {
|
|
|
|
|
+ appArmorProfile = "docker-default"
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ if appArmorProfile == "docker-default" {
|
|
|
|
|
+ // Unattended upgrades and other fun services can unload AppArmor
|
|
|
|
|
+ // profiles inadvertently. Since we cannot store our profile in
|
|
|
|
|
+ // /etc/apparmor.d, nor can we practically add other ways of
|
|
|
|
|
+ // telling the system to keep our profile loaded, in order to make
|
|
|
|
|
+ // sure that we keep the default profile enabled we dynamically
|
|
|
|
|
+ // reload it if necessary.
|
|
|
|
|
+ if err := ensureDefaultAppArmorProfile(); err != nil {
|
|
|
|
|
+ return err
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
return nil
|
|
return nil
|
|
|
}
|
|
}
|
Vincent Demeester