mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
76fa7d588a
There is not need for the remount hack, we use aa_change_onexec so the apparmor profile is not applied until we exec the users app. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
35 lines
674 B
Go
35 lines
674 B
Go
// +build apparmor,linux,amd64
|
|
|
|
package apparmor
|
|
|
|
// #cgo LDFLAGS: -lapparmor
|
|
// #include <sys/apparmor.h>
|
|
// #include <stdlib.h>
|
|
import "C"
|
|
import (
|
|
"io/ioutil"
|
|
"os"
|
|
"unsafe"
|
|
)
|
|
|
|
func IsEnabled() bool {
|
|
if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
|
|
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
|
|
return err == nil && len(buf) > 1 && buf[0] == 'Y'
|
|
}
|
|
return false
|
|
}
|
|
|
|
func ApplyProfile(name string) error {
|
|
if name == "" {
|
|
return nil
|
|
}
|
|
|
|
cName := C.CString(name)
|
|
defer C.free(unsafe.Pointer(cName))
|
|
|
|
if _, err := C.aa_change_onexec(cName); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|