diff --git a/daemon/container_linux.go b/daemon/container_linux.go index 8d449f700b..61a6d0ba6a 100644 --- a/daemon/container_linux.go +++ b/daemon/container_linux.go @@ -11,7 +11,7 @@ import ( func (daemon *Daemon) saveAppArmorConfig(container *container.Container) error { container.AppArmorProfile = "" // we don't care about the previous value. - if !daemon.apparmorEnabled { + if !daemon.RawSysInfo().AppArmor { return nil // if apparmor is disabled there is nothing to do here. } @@ -19,13 +19,10 @@ func (daemon *Daemon) saveAppArmorConfig(container *container.Container) error { return errdefs.InvalidParameter(err) } - if !container.HostConfig.Privileged { - if container.AppArmorProfile == "" { - container.AppArmorProfile = defaultAppArmorProfile - } - - } else { + if container.HostConfig.Privileged { container.AppArmorProfile = unconfinedAppArmorProfile + } else if container.AppArmorProfile == "" { + container.AppArmorProfile = defaultAppArmorProfile } return nil } diff --git a/daemon/daemon.go b/daemon/daemon.go index 9f3fc1882d..126b78f55f 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -47,6 +47,7 @@ import ( "github.com/docker/docker/pkg/fileutils" "github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/plugingetter" + "github.com/docker/docker/pkg/sysinfo" "github.com/docker/docker/pkg/system" "github.com/docker/docker/pkg/truncindex" "github.com/docker/docker/plugin" @@ -92,8 +93,8 @@ type Daemon struct { netController libnetwork.NetworkController volumes *volumesservice.VolumesService root string - seccompEnabled bool - apparmorEnabled bool + sysInfoOnce sync.Once + sysInfo *sysinfo.SysInfo shutdown bool idMapping *idtools.IdentityMapping graphDriver string // TODO: move graphDriver field to an InfoService @@ -1033,8 +1034,6 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S d.EventsService = events.New() d.root = config.Root d.idMapping = idMapping - d.seccompEnabled = sysInfo.Seccomp - d.apparmorEnabled = sysInfo.AppArmor d.linkIndex = newLinkIndex() @@ -1474,3 +1473,16 @@ func (daemon *Daemon) BuilderBackend() builder.Backend { *images.ImageService }{daemon, daemon.imageService} } + +// RawSysInfo returns *sysinfo.SysInfo . +func (daemon *Daemon) RawSysInfo() *sysinfo.SysInfo { + daemon.sysInfoOnce.Do(func() { + // We check if sysInfo is not set here, to allow some test to + // override the actual sysInfo. + if daemon.sysInfo == nil { + daemon.loadSysInfo() + } + }) + + return daemon.sysInfo +} diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go index 3cfc1927f5..1aabe1d9fd 100644 --- a/daemon/daemon_unix.go +++ b/daemon/daemon_unix.go @@ -1712,19 +1712,14 @@ func (daemon *Daemon) setupSeccompProfile() error { return nil } -// RawSysInfo returns *sysinfo.SysInfo . -func (daemon *Daemon) RawSysInfo() *sysinfo.SysInfo { +func (daemon *Daemon) loadSysInfo() { var siOpts []sysinfo.Opt if daemon.getCgroupDriver() == cgroupSystemdDriver { if euid := os.Getenv("ROOTLESSKIT_PARENT_EUID"); euid != "" { siOpts = append(siOpts, sysinfo.WithCgroup2GroupPath("/user.slice/user-"+euid+".slice")) } } - return sysinfo.New(siOpts...) -} - -func recursiveUnmount(target string) error { - return mount.RecursiveUnmount(target) + daemon.sysInfo = sysinfo.New(siOpts...) } func (daemon *Daemon) initLibcontainerd(ctx context.Context) error { @@ -1738,3 +1733,7 @@ func (daemon *Daemon) initLibcontainerd(ctx context.Context) error { ) return err } + +func recursiveUnmount(target string) error { + return mount.RecursiveUnmount(target) +} diff --git a/daemon/daemon_unsupported.go b/daemon/daemon_unsupported.go index 7666d14f6e..b2a1b5be9b 100644 --- a/daemon/daemon_unsupported.go +++ b/daemon/daemon_unsupported.go @@ -13,7 +13,6 @@ const platformSupported = false func setupResolvConf(config *config.Config) { } -// RawSysInfo returns *sysinfo.SysInfo . -func (daemon *Daemon) RawSysInfo() *sysinfo.SysInfo { - return sysinfo.New() +func (daemon *Daemon) loadSysInfo() { + daemon.sysInfo = sysinfo.New() } diff --git a/daemon/daemon_windows.go b/daemon/daemon_windows.go index 1af070b1d9..fdbfce008f 100644 --- a/daemon/daemon_windows.go +++ b/daemon/daemon_windows.go @@ -629,9 +629,8 @@ func (daemon *Daemon) loadRuntimes() error { func setupResolvConf(config *config.Config) {} -// RawSysInfo returns *sysinfo.SysInfo . -func (daemon *Daemon) RawSysInfo() *sysinfo.SysInfo { - return sysinfo.New() +func (daemon *Daemon) loadSysInfo() { + daemon.sysInfo = sysinfo.New() } func (daemon *Daemon) initLibcontainerd(ctx context.Context) error { diff --git a/daemon/seccomp_linux.go b/daemon/seccomp_linux.go index 1f4ecb576d..860635e2c1 100644 --- a/daemon/seccomp_linux.go +++ b/daemon/seccomp_linux.go @@ -26,7 +26,7 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts { if c.HostConfig.Privileged { return nil } - if !daemon.seccompEnabled { + if !daemon.RawSysInfo().Seccomp { if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileDefault { return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile") } diff --git a/daemon/seccomp_linux_test.go b/daemon/seccomp_linux_test.go index bb5331da37..22add8393c 100644 --- a/daemon/seccomp_linux_test.go +++ b/daemon/seccomp_linux_test.go @@ -11,6 +11,7 @@ import ( "github.com/docker/docker/container" dconfig "github.com/docker/docker/daemon/config" doci "github.com/docker/docker/oci" + "github.com/docker/docker/pkg/sysinfo" "github.com/docker/docker/profiles/seccomp" specs "github.com/opencontainers/runtime-spec/specs-go" "gotest.tools/v3/assert" @@ -31,7 +32,7 @@ func TestWithSeccomp(t *testing.T) { { comment: "unconfined seccompProfile runs unconfined", daemon: &Daemon{ - seccompEnabled: true, + sysInfo: &sysinfo.SysInfo{Seccomp: true}, }, c: &container.Container{ SeccompProfile: dconfig.SeccompProfileUnconfined, @@ -45,7 +46,7 @@ func TestWithSeccomp(t *testing.T) { { comment: "privileged container w/ custom profile runs unconfined", daemon: &Daemon{ - seccompEnabled: true, + sysInfo: &sysinfo.SysInfo{Seccomp: true}, }, c: &container.Container{ SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_LOG\" }", @@ -59,7 +60,7 @@ func TestWithSeccomp(t *testing.T) { { comment: "privileged container w/ default runs unconfined", daemon: &Daemon{ - seccompEnabled: true, + sysInfo: &sysinfo.SysInfo{Seccomp: true}, }, c: &container.Container{ SeccompProfile: "", @@ -73,7 +74,7 @@ func TestWithSeccomp(t *testing.T) { { comment: "privileged container w/ daemon profile runs unconfined", daemon: &Daemon{ - seccompEnabled: true, + sysInfo: &sysinfo.SysInfo{Seccomp: true}, seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"), }, c: &container.Container{ @@ -88,7 +89,7 @@ func TestWithSeccomp(t *testing.T) { { comment: "custom profile when seccomp is disabled returns error", daemon: &Daemon{ - seccompEnabled: false, + sysInfo: &sysinfo.SysInfo{Seccomp: false}, }, c: &container.Container{ SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }", @@ -103,7 +104,7 @@ func TestWithSeccomp(t *testing.T) { { comment: "empty profile name loads default profile", daemon: &Daemon{ - seccompEnabled: true, + sysInfo: &sysinfo.SysInfo{Seccomp: true}, }, c: &container.Container{ SeccompProfile: "", @@ -122,7 +123,7 @@ func TestWithSeccomp(t *testing.T) { { comment: "load container's profile", daemon: &Daemon{ - seccompEnabled: true, + sysInfo: &sysinfo.SysInfo{Seccomp: true}, }, c: &container.Container{ SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }", @@ -143,7 +144,7 @@ func TestWithSeccomp(t *testing.T) { { comment: "load daemon's profile", daemon: &Daemon{ - seccompEnabled: true, + sysInfo: &sysinfo.SysInfo{Seccomp: true}, seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"), }, c: &container.Container{ @@ -165,7 +166,7 @@ func TestWithSeccomp(t *testing.T) { { comment: "load prioritise container profile over daemon's", daemon: &Daemon{ - seccompEnabled: true, + sysInfo: &sysinfo.SysInfo{Seccomp: true}, seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"), }, c: &container.Container{ @@ -185,6 +186,7 @@ func TestWithSeccomp(t *testing.T) { }(), }, } { + x := x t.Run(x.comment, func(t *testing.T) { opts := WithSeccomp(x.daemon, x.c) err := opts(nil, nil, nil, &x.inSpec)