1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Commit graph

1 commit

Author SHA1 Message Date
Sebastiaan van Stijn
8f3308ae10
Fix AppArmor not being applied to Exec processes
Exec processes do not automatically inherit AppArmor
profiles from the container.

This patch sets the AppArmor profile for the exec
process.

Before this change:

    apparmor_parser -q -r <<EOF
    #include <tunables/global>
    profile deny-write flags=(attach_disconnected) {
      #include <abstractions/base>
      file,
      network,
      deny /tmp/** w,
      capability,
    }
    EOF

    docker run -dit --security-opt "apparmor=deny-write" --name aa busybox

    docker exec aa sh -c 'mkdir /tmp/test'
    (no error)

With this change applied:

    docker exec aa sh -c 'mkdir /tmp/test'
    mkdir: can't create directory '/tmp/test': Permission denied

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-03-02 14:05:36 +01:00