Added an apparmorEnabled boolean in the Daemon struct to indicate if AppArmor is enabled or not. It is set in NewDaemon using sysInfo information.

Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com> Added an apparmorEnabled boolean in the Daemon struct to indicate if AppArmor is enabled or not. It is set in NewDaemon using sysInfo information. Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com> gofmt'd Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com> change the function name to something more adequate and changed the behaviour to show empty value on an apparmor disabled system. Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com> go fmt Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
2022-11-09 12:21:53 -05:00 · 2016-12-19 13:22:45 +01:00 · 2016-12-19 13:22:45 +01:00 · d97a00dfd5
commit d97a00dfd5
parent 48dd90d398
4 changed files with 46 additions and 0 deletions
--- a/daemon/container_linux.go
+++ b/daemon/container_linux.go
@ -0,0 +1,29 @@
+//+build !windows
+
+package daemon
+
+import (
+	"github.com/docker/docker/container"
+)
+
+func (daemon *Daemon) saveApparmorConfig(container *container.Container) error {
+	container.AppArmorProfile = "" //we don't care about the previous value.
+
+	if !daemon.apparmorEnabled {
+		return nil // if apparmor is disabled there is nothing to do here.
+	}
+
+	if err := parseSecurityOpt(container, container.HostConfig); err != nil {
+		return err
+	}
+
+	if !container.HostConfig.Privileged {
+		if container.AppArmorProfile == "" {
+			container.AppArmorProfile = defaultApparmorProfile
+		}
+
+	} else {
+		container.AppArmorProfile = "unconfined"
+	}
+	return nil
+}
--- a/daemon/container_windows.go
+++ b/daemon/container_windows.go
@ -0,0 +1,11 @@
+//+build windows
+
+package daemon
+
+import (
+	"github.com/docker/docker/container"
+)
+
+func (daemon *Daemon) saveApparmorConfig(container *container.Container) error {
+	return nil
+}
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@ -92,6 +92,7 @@ type Daemon struct {
 	discoveryWatcher          discoveryReloader
 	root                      string
 	seccompEnabled            bool
+	apparmorEnabled           bool
 	shutdown                  bool
 	uidMaps                   []idtools.IDMap
 	gidMaps                   []idtools.IDMap
@ -683,6 +684,7 @@ func NewDaemon(config *Config, registryService registry.Service, containerdRemot
 	d.uidMaps = uidMaps
 	d.gidMaps = gidMaps
 	d.seccompEnabled = sysInfo.Seccomp
+	d.apparmorEnabled = sysInfo.AppArmor

 	d.nameIndex = registrar.NewRegistrar()
 	d.linkIndex = newLinkIndex()
--- a/daemon/start.go
+++ b/daemon/start.go
@ -164,6 +164,10 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
 		checkpointDir = container.CheckpointDir()
 	}

+	if daemon.saveApparmorConfig(container); err != nil {
+		return err
+	}
+
 	if err := daemon.containerd.Create(container.ID, checkpoint, checkpointDir, *spec, container.InitializeStdio, createOptions...); err != nil {
 		errDesc := grpc.ErrorDesc(err)
 		contains := func(s1, s2 string) bool {