Use CGO for apparmor profile switch

Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume.charmes@docker.com> (github: creack)

pkg/libcontainer/apparmor/apparmor.go

@@ -1,9 +1,12 @@
 package apparmor
 
+// #cgo LDFLAGS: -lapparmor
+// #include <sys/apparmor.h>
+// #include <stdlib.h>
+import "C"
 import (
-	"fmt"
 	"io/ioutil"
-	"os"
+	"unsafe"
 )
 
 func IsEnabled() bool {
@@ -16,13 +19,10 @@ func ApplyProfile(pid int, name string) error {
 		return nil
 	}
 
-	f, err := os.OpenFile(fmt.Sprintf("/proc/%d/attr/current", pid), os.O_WRONLY, 0)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
+	cName := C.CString(name)
+	defer C.free(unsafe.Pointer(cName))
 
-	if _, err := fmt.Fprintf(f, "changeprofile %s", name); err != nil {
+	if _, err := C.aa_change_onexec(cName); err != nil {
 		return err
 	}
 	return nil

pkg/libcontainer/nsinit/init.go

@@ -59,10 +59,6 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
 		return fmt.Errorf("setup mount namespace %s", err)
 	}
 
-	if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
-		return err
-	}
-
 	if err := setupNetwork(container, context); err != nil {
 		return fmt.Errorf("setup networking %s", err)
 	}
@@ -73,6 +69,9 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
 		return fmt.Errorf("finalize namespace %s", err)
 	}
 
+	if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
+		return err
+	}
 	return system.Execv(args[0], args[0:], container.Env)
 }