diff options
| author | Ralf Haferkamp <rhafer@suse.com> | 2020-07-10 17:47:22 +0200 |
|---|---|---|
| committer | Ralf Haferkamp <rhafer@suse.com> | 2020-07-10 17:55:18 +0200 |
| commit | b3f15c09cd94f5a92544b7b8c7eb4e74ef8e76d3 (patch) | |
| tree | 47ca28c6062dbc64c53b5152a568dd237de46280 /cmd/podman/common | |
| parent | d9cd0032f7478e625329326d7593162a9f1e8c1e (diff) | |
| download | podman-b3f15c09cd94f5a92544b7b8c7eb4e74ef8e76d3.tar.gz podman-b3f15c09cd94f5a92544b7b8c7eb4e74ef8e76d3.tar.bz2 podman-b3f15c09cd94f5a92544b7b8c7eb4e74ef8e76d3.zip | |
Don't setup AppArmor provile for privileged pods
This is essentially db218e7162c2 forward-ported to specgen
Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
Diffstat (limited to 'cmd/podman/common')
| -rw-r--r-- | cmd/podman/common/specgen.go | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go index eca0da32b..96aeb08f4 100644 --- a/cmd/podman/common/specgen.go +++ b/cmd/podman/common/specgen.go @@ -525,8 +525,10 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string s.ContainerSecurityConfig.SelinuxOpts = append(s.ContainerSecurityConfig.SelinuxOpts, con[1]) s.Annotations[define.InspectAnnotationLabel] = strings.Join(s.ContainerSecurityConfig.SelinuxOpts, ",label=") case "apparmor": - s.ContainerSecurityConfig.ApparmorProfile = con[1] - s.Annotations[define.InspectAnnotationApparmor] = con[1] + if !c.Privileged { + s.ContainerSecurityConfig.ApparmorProfile = con[1] + s.Annotations[define.InspectAnnotationApparmor] = con[1] + } case "seccomp": s.SeccompProfilePath = con[1] s.Annotations[define.InspectAnnotationSeccomp] = con[1] |