kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

Merge pull request #26518 from SUSE/dont-write-aa-profile-to-etc 

apparmor: do not save profile to /etc/apparmor.d
This commit is contained in:
Justin Cormack 2016-09-13 10:37:11 +01:00 committed by GitHub
parent 0c90f777b7 2f7596aaef
commit 379b02b48d
2 changed files with 12 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/aaparser/aaparser.go
View File

@ -23,10 +23,10 @@ func GetVersion() (int, error) {
return parseVersion(output) return parseVersion(output)
} }
// LoadProfile runs `apparmor_parser -r -W` on a specified apparmor profile to // LoadProfile runs `apparmor_parser -r` on a specified apparmor profile to
// replace and write it to disk. // replace the profile.
func LoadProfile(profilePath string) error { func LoadProfile(profilePath string) error {
_, err := cmd(filepath.Dir(profilePath), "-r", "-W", filepath.Base(profilePath)) _, err := cmd("-r", filepath.Dir(profilePath))
if err != nil { if err != nil {
return err return err
} }

19
profiles/apparmor/apparmor.go
View File

@ -5,6 +5,7 @@ package apparmor
import ( import (
"bufio" "bufio"
"io" "io"
"io/ioutil"
"os" "os"
"path" "path"
"strings" "strings"
@ -16,8 +17,6 @@ import (
var ( var (
// profileDirectory is the file store for apparmor profiles and macros. // profileDirectory is the file store for apparmor profiles and macros.
profileDirectory = "/etc/apparmor.d" profileDirectory = "/etc/apparmor.d"
// defaultProfilePath is the default path for the apparmor profile to be saved.
defaultProfilePath = path.Join(profileDirectory, "docker")
) )
// profileData holds information about the given profile for generation. // profileData holds information about the given profile for generation.
@ -70,26 +69,26 @@ func macroExists(m string) bool {
// InstallDefault generates a default profile and installs it in the // InstallDefault generates a default profile and installs it in the
// ProfileDirectory with `apparmor_parser`. // ProfileDirectory with `apparmor_parser`.
func InstallDefault(name string) error { func InstallDefault(name string) error {
// Make sure the path where they want to save the profile exists
if err := os.MkdirAll(profileDirectory, 0755); err != nil {
return err
}
p := profileData{ p := profileData{
Name: name, Name: name,
} }
f, err := os.OpenFile(defaultProfilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644) // Install to a temporary directory.
f, err := ioutil.TempFile("", name)
if err != nil { if err != nil {
return err return err
} }
profilePath := f.Name()
defer f.Close()
defer os.Remove(profilePath)
if err := p.generateDefault(f); err != nil { if err := p.generateDefault(f); err != nil {
f.Close() f.Close()
return err return err
} }
f.Close()
if err := aaparser.LoadProfile(defaultProfilePath); err != nil { if err := aaparser.LoadProfile(profilePath); err != nil {
return err return err
} }