From a33cf495f2f0ef0b30b943fc9a7e54ec2aaa4c1e Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Sun, 13 Oct 2019 00:04:44 +0200
Subject: [PATCH] daemon: use constants for AppArmor profiles

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 daemon/apparmor_default.go | 3 ++-
 daemon/container_linux.go  | 2 +-
 daemon/exec_linux.go       | 6 +++---
 daemon/exec_linux_test.go  | 2 +-
 daemon/oci_linux.go        | 6 +++---
 5 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
index 461f5c7f96..5d25d29a41 100644
--- a/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go
@@ -11,7 +11,8 @@ import (
 
 // Define constants for native driver
 const (
-	defaultApparmorProfile = "docker-default"
+	unconfinedAppArmorProfile = "unconfined"
+	defaultApparmorProfile    = "docker-default"
 )
 
 func ensureDefaultAppArmorProfile() error {
diff --git a/daemon/container_linux.go b/daemon/container_linux.go
index e6f5bf2ccc..0818f62a89 100644
--- a/daemon/container_linux.go
+++ b/daemon/container_linux.go
@@ -24,7 +24,7 @@ func (daemon *Daemon) saveApparmorConfig(container *container.Container) error {
 		}
 
 	} else {
-		container.AppArmorProfile = "unconfined"
+		container.AppArmorProfile = unconfinedAppArmorProfile
 	}
 	return nil
 }
diff --git a/daemon/exec_linux.go b/daemon/exec_linux.go
index 2df28cb3b8..b9e38f7b08 100644
--- a/daemon/exec_linux.go
+++ b/daemon/exec_linux.go
@@ -38,12 +38,12 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
 		} else if c.HostConfig.Privileged {
 			// `docker exec --privileged` does not currently disable AppArmor
 			// profiles. Privileged configuration of the container is inherited
-			appArmorProfile = "unconfined"
+			appArmorProfile = unconfinedAppArmorProfile
 		} else {
-			appArmorProfile = "docker-default"
+			appArmorProfile = defaultApparmorProfile
 		}
 
-		if appArmorProfile == "docker-default" {
+		if appArmorProfile == defaultApparmorProfile {
 			// Unattended upgrades and other fun services can unload AppArmor
 			// profiles inadvertently. Since we cannot store our profile in
 			// /etc/apparmor.d, nor can we practically add other ways of
diff --git a/daemon/exec_linux_test.go b/daemon/exec_linux_test.go
index 9e2f829eb7..89f2dfb5e5 100644
--- a/daemon/exec_linux_test.go
+++ b/daemon/exec_linux_test.go
@@ -49,5 +49,5 @@ func TestExecSetPlatformOptPrivileged(t *testing.T) {
 	c.HostConfig = &containertypes.HostConfig{Privileged: true}
 	err = d.execSetPlatformOpt(c, ec, p)
 	assert.NilError(t, err)
-	assert.Equal(t, "unconfined", p.ApparmorProfile)
+	assert.Equal(t, unconfinedAppArmorProfile, p.ApparmorProfile)
 }
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index a3864b9a83..203864a21b 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -111,12 +111,12 @@ func WithApparmor(c *container.Container) coci.SpecOpts {
 			if c.AppArmorProfile != "" {
 				appArmorProfile = c.AppArmorProfile
 			} else if c.HostConfig.Privileged {
-				appArmorProfile = "unconfined"
+				appArmorProfile = unconfinedAppArmorProfile
 			} else {
-				appArmorProfile = "docker-default"
+				appArmorProfile = defaultApparmorProfile
 			}
 
-			if appArmorProfile == "docker-default" {
+			if appArmorProfile == defaultApparmorProfile {
 				// Unattended upgrades and other fun services can unload AppArmor
 				// profiles inadvertently. Since we cannot store our profile in
 				// /etc/apparmor.d, nor can we practically add other ways of