summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorValentin Rothberg <rothberg@redhat.com>2019-05-23 13:12:56 +0200
committerValentin Rothberg <rothberg@redhat.com>2019-05-23 13:17:30 +0200
commitfe928c6b429ff25b9cc14bcf45db976db223ee34 (patch)
treecb1c08067f135a5c8a2a7fefbc8cacc572617f25
parente0376b9c3f9af07d9e58a04a7cd58a7c065305e3 (diff)
downloadpodman-fe928c6b429ff25b9cc14bcf45db976db223ee34.tar.gz
podman-fe928c6b429ff25b9cc14bcf45db976db223ee34.tar.bz2
podman-fe928c6b429ff25b9cc14bcf45db976db223ee34.zip
apparmor: don't load/set profile in privileged mode
Commit 27f9e23a0b9e already prevents setting the profile when creating the spec but we also need to avoid loading and setting the profile when creating the container. Fixes: #3112 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
-rw-r--r--libpod/container_internal_linux.go12
1 files changed, 7 insertions, 5 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index c5e404155..f25f76092 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -25,7 +25,7 @@ import (
"github.com/containers/libpod/pkg/lookup"
"github.com/containers/libpod/pkg/resolvconf"
"github.com/containers/libpod/pkg/rootless"
- "github.com/cyphar/filepath-securejoin"
+ securejoin "github.com/cyphar/filepath-securejoin"
"github.com/opencontainers/runc/libcontainer/user"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
@@ -188,11 +188,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
// Apply AppArmor checks and load the default profile if needed.
- updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile)
- if err != nil {
- return nil, err
+ if !c.config.Privileged {
+ updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile)
+ if err != nil {
+ return nil, err
+ }
+ g.SetProcessApparmorProfile(updatedProfile)
}
- g.SetProcessApparmorProfile(updatedProfile)
if err := c.makeBindMounts(); err != nil {
return nil, err