From 930606f8447d3dba323cddddefcca7c18a67119c Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Mon, 13 Mar 2017 14:57:35 +1100 Subject: [PATCH] daemon: also ensureDefaultApparmorProfile in exec path When 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles") was merged, it didn't correctly handle the exec path if AppArmor profiles were deleted. Fix this by duplicating the ensureDefaultApparmorProfile code in the exec code. Fixes: 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles") Signed-off-by: Aleksa Sarai (cherry picked from commit 790a81ea9acce318d0e037771c253951b874140b) Signed-off-by: Victor Vieux --- daemon/exec_linux.go | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/daemon/exec_linux.go b/daemon/exec_linux.go index 5aeedc3470..bb11c11e44 100644 --- a/daemon/exec_linux.go +++ b/daemon/exec_linux.go @@ -5,6 +5,7 @@ import ( "github.com/docker/docker/daemon/caps" "github.com/docker/docker/daemon/exec" "github.com/docker/docker/libcontainerd" + "github.com/opencontainers/runc/libcontainer/apparmor" "github.com/opencontainers/runtime-spec/specs-go" ) @@ -23,5 +24,27 @@ func execSetPlatformOpt(c *container.Container, ec *exec.Config, p *libcontainer if ec.Privileged { p.Capabilities = caps.GetAllCapabilities() } + if apparmor.IsEnabled() { + var appArmorProfile string + if c.AppArmorProfile != "" { + appArmorProfile = c.AppArmorProfile + } else if c.HostConfig.Privileged { + appArmorProfile = "unconfined" + } else { + appArmorProfile = "docker-default" + } + + if appArmorProfile == "docker-default" { + // Unattended upgrades and other fun services can unload AppArmor + // profiles inadvertently. Since we cannot store our profile in + // /etc/apparmor.d, nor can we practically add other ways of + // telling the system to keep our profile loaded, in order to make + // sure that we keep the default profile enabled we dynamically + // reload it if necessary. + if err := ensureDefaultAppArmorProfile(); err != nil { + return err + } + } + } return nil }