daemon: also ensureDefaultApparmorProfile in exec path

When 567ef8e785 ("daemon: switch to 'ensure' workflow for AppArmor profiles") was merged, it didn't correctly handle the exec path if AppArmor profiles were deleted. Fix this by duplicating the ensureDefaultApparmorProfile code in the exec code. Fixes: 567ef8e785 ("daemon: switch to 'ensure' workflow for AppArmor profiles") Signed-off-by: Aleksa Sarai <asarai@suse.de> (cherry picked from commit 790a81ea9a) Signed-off-by: Victor Vieux <victorvieux@gmail.com>
2017-03-13 14:57:35 +11:00 · 2017-03-13 14:57:35 +11:00 · 930606f844
commit 930606f844
parent 9c5e221e36
1 changed files with 23 additions and 0 deletions
--- a/daemon/exec_linux.go
+++ b/daemon/exec_linux.go
@ -5,6 +5,7 @@ import (
 	"github.com/docker/docker/daemon/caps"
 	"github.com/docker/docker/daemon/exec"
 	"github.com/docker/docker/libcontainerd"
+	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )

@ -23,5 +24,27 @@ func execSetPlatformOpt(c *container.Container, ec *exec.Config, p *libcontainer
 	if ec.Privileged {
 		p.Capabilities = caps.GetAllCapabilities()
 	}
+	if apparmor.IsEnabled() {
+		var appArmorProfile string
+		if c.AppArmorProfile != "" {
+			appArmorProfile = c.AppArmorProfile
+		} else if c.HostConfig.Privileged {
+			appArmorProfile = "unconfined"
+		} else {
+			appArmorProfile = "docker-default"
+		}
+
+		if appArmorProfile == "docker-default" {
+			// Unattended upgrades and other fun services can unload AppArmor
+			// profiles inadvertently. Since we cannot store our profile in
+			// /etc/apparmor.d, nor can we practically add other ways of
+			// telling the system to keep our profile loaded, in order to make
+			// sure that we keep the default profile enabled we dynamically
+			// reload it if necessary.
+			if err := ensureDefaultAppArmorProfile(); err != nil {
+				return err
+			}
+		}
+	}
 	return nil
 }