Merge pull request #5127 from crosbymichael/update-apparmor

Check for apparmor enabled on host to populate profile

pkg/libcontainer/apparmor/apparmor.go

@@ -17,7 +17,7 @@ func IsEnabled() bool {
 }
 
 func ApplyProfile(pid int, name string) error {
-	if !IsEnabled() || name == "" {
+	if name == "" {
 		return nil
 	}
 

runtime/execdriver/native/create.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/dotcloud/docker/pkg/label"
 	"github.com/dotcloud/docker/pkg/libcontainer"
+	"github.com/dotcloud/docker/pkg/libcontainer/apparmor"
 	"github.com/dotcloud/docker/runtime/execdriver"
 	"github.com/dotcloud/docker/runtime/execdriver/native/configuration"
 	"github.com/dotcloud/docker/runtime/execdriver/native/template"
@@ -80,7 +81,9 @@ func (d *driver) setPrivileged(container *libcontainer.Container) error {
 		c.Enabled = true
 	}
 	container.Cgroups.DeviceAccess = true
-	container.Context["apparmor_profile"] = "unconfined"
+	if apparmor.IsEnabled() {
+		container.Context["apparmor_profile"] = "unconfined"
+	}
 	return nil
 }
 

runtime/execdriver/native/template/default_template.go

@@ -3,6 +3,7 @@ package template
 import (
 	"github.com/dotcloud/docker/pkg/cgroups"
 	"github.com/dotcloud/docker/pkg/libcontainer"
+	"github.com/dotcloud/docker/pkg/libcontainer/apparmor"
 )
 
 // New returns the docker default configuration for libcontainer
@@ -36,10 +37,11 @@ func New() *libcontainer.Container {
 			Parent:       "docker",
 			DeviceAccess: false,
 		},
-		Context: libcontainer.Context{
-			"apparmor_profile": "docker-default",
-		},
+		Context: libcontainer.Context{},
 	}
 	container.CapabilitiesMask.Get("MKNOD").Enabled = true
+	if apparmor.IsEnabled() {
+		container.Context["apparmor_profile"] = "docker-default"
+	}
 	return container
 }