diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go index 461f5c7f96..5d25d29a41 100644 --- a/daemon/apparmor_default.go +++ b/daemon/apparmor_default.go @@ -11,7 +11,8 @@ import ( // Define constants for native driver const ( - defaultApparmorProfile = "docker-default" + unconfinedAppArmorProfile = "unconfined" + defaultApparmorProfile = "docker-default" ) func ensureDefaultAppArmorProfile() error { diff --git a/daemon/container_linux.go b/daemon/container_linux.go index e6f5bf2ccc..0818f62a89 100644 --- a/daemon/container_linux.go +++ b/daemon/container_linux.go @@ -24,7 +24,7 @@ func (daemon *Daemon) saveApparmorConfig(container *container.Container) error { } } else { - container.AppArmorProfile = "unconfined" + container.AppArmorProfile = unconfinedAppArmorProfile } return nil } diff --git a/daemon/exec_linux.go b/daemon/exec_linux.go index 2df28cb3b8..b9e38f7b08 100644 --- a/daemon/exec_linux.go +++ b/daemon/exec_linux.go @@ -38,12 +38,12 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config } else if c.HostConfig.Privileged { // `docker exec --privileged` does not currently disable AppArmor // profiles. Privileged configuration of the container is inherited - appArmorProfile = "unconfined" + appArmorProfile = unconfinedAppArmorProfile } else { - appArmorProfile = "docker-default" + appArmorProfile = defaultApparmorProfile } - if appArmorProfile == "docker-default" { + if appArmorProfile == defaultApparmorProfile { // Unattended upgrades and other fun services can unload AppArmor // profiles inadvertently. Since we cannot store our profile in // /etc/apparmor.d, nor can we practically add other ways of diff --git a/daemon/exec_linux_test.go b/daemon/exec_linux_test.go index 9e2f829eb7..89f2dfb5e5 100644 --- a/daemon/exec_linux_test.go +++ b/daemon/exec_linux_test.go @@ -49,5 +49,5 @@ func TestExecSetPlatformOptPrivileged(t *testing.T) { c.HostConfig = &containertypes.HostConfig{Privileged: true} err = d.execSetPlatformOpt(c, ec, p) assert.NilError(t, err) - assert.Equal(t, "unconfined", p.ApparmorProfile) + assert.Equal(t, unconfinedAppArmorProfile, p.ApparmorProfile) } diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go index 0018c0a649..ac102e48c0 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go @@ -113,12 +113,12 @@ func WithApparmor(c *container.Container) coci.SpecOpts { if c.AppArmorProfile != "" { appArmorProfile = c.AppArmorProfile } else if c.HostConfig.Privileged { - appArmorProfile = "unconfined" + appArmorProfile = unconfinedAppArmorProfile } else { - appArmorProfile = "docker-default" + appArmorProfile = defaultApparmorProfile } - if appArmorProfile == "docker-default" { + if appArmorProfile == defaultApparmorProfile { // Unattended upgrades and other fun services can unload AppArmor // profiles inadvertently. Since we cannot store our profile in // /etc/apparmor.d, nor can we practically add other ways of diff --git a/daemon/seccomp_disabled.go b/daemon/seccomp_disabled.go index 56b30b1aec..fff9cbe4c6 100644 --- a/daemon/seccomp_disabled.go +++ b/daemon/seccomp_disabled.go @@ -11,7 +11,7 @@ import ( "github.com/docker/docker/container" ) -var supportsSeccomp = false +const supportsSeccomp = false // WithSeccomp sets the seccomp profile func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts { diff --git a/daemon/seccomp_linux.go b/daemon/seccomp_linux.go index eea1913189..79e27bd7e5 100644 --- a/daemon/seccomp_linux.go +++ b/daemon/seccomp_linux.go @@ -14,7 +14,7 @@ import ( "github.com/sirupsen/logrus" ) -var supportsSeccomp = true +const supportsSeccomp = true // WithSeccomp sets the seccomp profile func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts { diff --git a/daemon/seccomp_unsupported.go b/daemon/seccomp_unsupported.go index 0cd5088918..dba8763c88 100644 --- a/daemon/seccomp_unsupported.go +++ b/daemon/seccomp_unsupported.go @@ -10,7 +10,7 @@ import ( "github.com/docker/docker/container" ) -var supportsSeccomp = false +const supportsSeccomp = false // WithSeccomp sets the seccomp profile func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {