kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

daemon: use constants for AppArmor profiles 

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2019-10-13 00:04:44 +02:00
parent d1e837d2a8
commit a33cf495f2
No known key found for this signature in database
GPG Key ID: 76698F39D527CE8C
5 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
daemon/apparmor_default.go
View File

@ -11,7 +11,8 @@ import (
// Define constants for native driver
const (
defaultApparmorProfile = "docker-default"
unconfinedAppArmorProfile = "unconfined"
defaultApparmorProfile = "docker-default"
)
func ensureDefaultAppArmorProfile() error {

2
daemon/container_linux.go
View File

@ -24,7 +24,7 @@ func (daemon *Daemon) saveApparmorConfig(container *container.Container) error {
}
} else {
container.AppArmorProfile = "unconfined"
container.AppArmorProfile = unconfinedAppArmorProfile
}
return nil
}

6
daemon/exec_linux.go
View File

@ -38,12 +38,12 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
} else if c.HostConfig.Privileged {
// `docker exec --privileged` does not currently disable AppArmor
// profiles. Privileged configuration of the container is inherited
appArmorProfile = "unconfined"
appArmorProfile = unconfinedAppArmorProfile
} else {
appArmorProfile = "docker-default"
appArmorProfile = defaultApparmorProfile
}
if appArmorProfile == "docker-default" {
if appArmorProfile == defaultApparmorProfile {
// Unattended upgrades and other fun services can unload AppArmor
// profiles inadvertently. Since we cannot store our profile in
// /etc/apparmor.d, nor can we practically add other ways of

2
daemon/exec_linux_test.go
View File

@ -49,5 +49,5 @@ func TestExecSetPlatformOptPrivileged(t *testing.T) {
c.HostConfig = &containertypes.HostConfig{Privileged: true}
err = d.execSetPlatformOpt(c, ec, p)
assert.NilError(t, err)
assert.Equal(t, "unconfined", p.ApparmorProfile)
assert.Equal(t, unconfinedAppArmorProfile, p.ApparmorProfile)
}

6
daemon/oci_linux.go
View File

@ -111,12 +111,12 @@ func WithApparmor(c *container.Container) coci.SpecOpts {
if c.AppArmorProfile != "" {
appArmorProfile = c.AppArmorProfile
} else if c.HostConfig.Privileged {
appArmorProfile = "unconfined"
appArmorProfile = unconfinedAppArmorProfile
} else {
appArmorProfile = "docker-default"
appArmorProfile = defaultApparmorProfile
}
if appArmorProfile == "docker-default" {
if appArmorProfile == defaultApparmorProfile {
// Unattended upgrades and other fun services can unload AppArmor
// profiles inadvertently. Since we cannot store our profile in
// /etc/apparmor.d, nor can we practically add other ways of