| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576 |
- package apparmor
- import (
- "fmt"
- "io"
- "os"
- "os/exec"
- "path"
- )
- const (
- DefaultProfilePath = "/etc/apparmor.d/docker"
- )
- func InstallDefaultProfile(backupPath string) error {
- if !IsEnabled() {
- return nil
- }
- // If the profile already exists, check if we already have a backup
- // if not, do the backup and override it. (docker 0.10 upgrade changed the apparmor profile)
- // see gh#5049, apparmor blocks signals in ubuntu 14.04
- if _, err := os.Stat(DefaultProfilePath); err == nil {
- if _, err := os.Stat(backupPath); err == nil {
- // If both the profile and the backup are present, do nothing
- return nil
- }
- // Make sure the directory exists
- if err := os.MkdirAll(path.Dir(backupPath), 0755); err != nil {
- return err
- }
- // Create the backup file
- f, err := os.Create(backupPath)
- if err != nil {
- return err
- }
- defer f.Close()
- src, err := os.Open(DefaultProfilePath)
- if err != nil {
- return err
- }
- defer src.Close()
- if _, err := io.Copy(f, src); err != nil {
- return err
- }
- }
- // Make sure /etc/apparmor.d exists
- if err := os.MkdirAll(path.Dir(DefaultProfilePath), 0755); err != nil {
- return err
- }
- f, err := os.OpenFile(DefaultProfilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
- if err != nil {
- return err
- }
- if err := generateProfile(f); err != nil {
- f.Close()
- return err
- }
- f.Close()
- cmd := exec.Command("/sbin/apparmor_parser", "-r", "-W", "docker")
- // to use the parser directly we have to make sure we are in the correct
- // dir with the profile
- cmd.Dir = "/etc/apparmor.d"
- output, err := cmd.CombinedOutput()
- if err != nil {
- return fmt.Errorf("Error loading docker apparmor profile: %s (%s)", err, output)
- }
- return nil
- }
|
