daemon: also ensureDefaultApparmorProfile in exec path

When 567ef8e785 ("daemon: switch to 'ensure' workflow for AppArmor profiles") was merged, it didn't correctly handle the exec path if AppArmor profiles were deleted. Fix this by duplicating the ensureDefaultApparmorProfile code in the exec code. Fixes: 567ef8e785 ("daemon: switch to 'ensure' workflow for AppArmor profiles") Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-03-13 14:57:35 +11:00 · 2017-03-13 14:57:35 +11:00 · 790a81ea9a
parent 613334eb50
commit 790a81ea9a
1 changed files with 23 additions and 0 deletions
--- a/daemon/exec_linux.go
+++ b/daemon/exec_linux.go
@ -5,6 +5,7 @@ import (
 	"github.com/docker/docker/daemon/caps"
 	"github.com/docker/docker/daemon/exec"
 	"github.com/docker/docker/libcontainerd"
+	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )

@ -23,5 +24,27 @@ func execSetPlatformOpt(c *container.Container, ec *exec.Config, p *libcontainer
 	if ec.Privileged {
 		p.Capabilities = caps.GetAllCapabilities()
 	}
+	if apparmor.IsEnabled() {
+		var appArmorProfile string
+		if c.AppArmorProfile != "" {
+			appArmorProfile = c.AppArmorProfile
+		} else if c.HostConfig.Privileged {
+			appArmorProfile = "unconfined"
+		} else {
+			appArmorProfile = "docker-default"
+		}
+
+		if appArmorProfile == "docker-default" {
+			// Unattended upgrades and other fun services can unload AppArmor
+			// profiles inadvertently. Since we cannot store our profile in
+			// /etc/apparmor.d, nor can we practically add other ways of
+			// telling the system to keep our profile loaded, in order to make
+			// sure that we keep the default profile enabled we dynamically
+			// reload it if necessary.
+			if err := ensureDefaultAppArmorProfile(); err != nil {
+				return err
+			}
+		}
+	}
 	return nil
 }