diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2020-07-15 16:33:24 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2020-07-22 06:27:20 -0400 |
commit | 4c4a00f63ea5bc7956bf40be457bf86643575dce (patch) | |
tree | a35b4bb94a1c5eb93473bec40d7f9794c59e3d04 /cmd/podman/common | |
parent | 59bad8bf7176398dbab6b59867b17567691ffda3 (diff) | |
download | podman-4c4a00f63ea5bc7956bf40be457bf86643575dce.tar.gz podman-4c4a00f63ea5bc7956bf40be457bf86643575dce.tar.bz2 podman-4c4a00f63ea5bc7956bf40be457bf86643575dce.zip |
Support default profile for apparmor
Currently you can not apply an ApparmorProfile if you specify
--privileged. This patch will allow both to be specified
simultaniosly.
By default Apparmor should be disabled if the user
specifies --privileged, but if the user specifies --security apparmor:PROFILE,
with --privileged, we should do both.
Added e2e run_apparmor_test.go
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'cmd/podman/common')
-rw-r--r-- | cmd/podman/common/create.go | 2 | ||||
-rw-r--r-- | cmd/podman/common/specgen.go | 6 |
2 files changed, 3 insertions, 5 deletions
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go index 46f78cdba..e248e621f 100644 --- a/cmd/podman/common/create.go +++ b/cmd/podman/common/create.go @@ -405,7 +405,7 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet { ) createFlags.StringArrayVar( &cf.SecurityOpt, - "security-opt", containerConfig.SecurityOptions(), + "security-opt", []string{}, "Security Options", ) createFlags.String( diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go index 731085731..e694317cc 100644 --- a/cmd/podman/common/specgen.go +++ b/cmd/podman/common/specgen.go @@ -512,10 +512,8 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string s.ContainerSecurityConfig.SelinuxOpts = append(s.ContainerSecurityConfig.SelinuxOpts, con[1]) s.Annotations[define.InspectAnnotationLabel] = strings.Join(s.ContainerSecurityConfig.SelinuxOpts, ",label=") case "apparmor": - if !c.Privileged { - s.ContainerSecurityConfig.ApparmorProfile = con[1] - s.Annotations[define.InspectAnnotationApparmor] = con[1] - } + s.ContainerSecurityConfig.ApparmorProfile = con[1] + s.Annotations[define.InspectAnnotationApparmor] = con[1] case "seccomp": s.SeccompProfilePath = con[1] s.Annotations[define.InspectAnnotationSeccomp] = con[1] |