summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSascha Grunert <sgrunert@suse.com>2020-09-07 10:20:32 +0200
committerSascha Grunert <sgrunert@suse.com>2020-09-07 10:47:32 +0200
commit1509adc0a7610f368cd9220352d4895da865bffb (patch)
treea85659e1606a60aa7dc4314bb1d62447f6c53c9e
parentba8d0bb5e336e84aaf68148563e61558b5dc94f5 (diff)
downloadpodman-1509adc0a7610f368cd9220352d4895da865bffb.tar.gz
podman-1509adc0a7610f368cd9220352d4895da865bffb.tar.bz2
podman-1509adc0a7610f368cd9220352d4895da865bffb.zip
Fix unconfined AppArmor profile usage for unsupported systems
If we select "unconfined" as AppArmor profile, then we should not error even if the host does not support it at all. This behavior has been fixed and a corresponding e2e test has been added as well. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
-rw-r--r--pkg/specgen/generate/security.go2
-rw-r--r--test/e2e/run_apparmor_test.go13
2 files changed, 14 insertions, 1 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index d3e3d9278..87e8029a7 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -60,7 +60,7 @@ func setLabelOpts(s *specgen.SpecGenerator, runtime *libpod.Runtime, pidConfig s
func setupApparmor(s *specgen.SpecGenerator, rtc *config.Config, g *generate.Generator) error {
hasProfile := len(s.ApparmorProfile) > 0
if !apparmor.IsEnabled() {
- if hasProfile {
+ if hasProfile && s.ApparmorProfile != "unconfined" {
return errors.Errorf("Apparmor profile %q specified, but Apparmor is not enabled on this system", s.ApparmorProfile)
}
return nil
diff --git a/test/e2e/run_apparmor_test.go b/test/e2e/run_apparmor_test.go
index 53cac9529..7d522a752 100644
--- a/test/e2e/run_apparmor_test.go
+++ b/test/e2e/run_apparmor_test.go
@@ -155,4 +155,17 @@ profile aa-test-profile flags=(attach_disconnected,mediate_deleted) {
inspect := podmanTest.InspectContainer(cid)
Expect(inspect[0].AppArmorProfile).To(Equal(""))
})
+
+ It("podman run apparmor disabled unconfined", func() {
+ skipIfAppArmorEnabled()
+
+ session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ cid := session.OutputToString()
+ // Verify that apparmor.Profile is being set
+ inspect := podmanTest.InspectContainer(cid)
+ Expect(inspect[0].AppArmorProfile).To(Equal(""))
+ })
})