summaryrefslogtreecommitdiff
path: root/cmd/podman/common
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2020-07-15 16:33:24 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2020-07-22 06:27:20 -0400
commit4c4a00f63ea5bc7956bf40be457bf86643575dce (patch)
treea35b4bb94a1c5eb93473bec40d7f9794c59e3d04 /cmd/podman/common
parent59bad8bf7176398dbab6b59867b17567691ffda3 (diff)
downloadpodman-4c4a00f63ea5bc7956bf40be457bf86643575dce.tar.gz
podman-4c4a00f63ea5bc7956bf40be457bf86643575dce.tar.bz2
podman-4c4a00f63ea5bc7956bf40be457bf86643575dce.zip
Support default profile for apparmor
Currently you can not apply an ApparmorProfile if you specify --privileged. This patch will allow both to be specified simultaniosly. By default Apparmor should be disabled if the user specifies --privileged, but if the user specifies --security apparmor:PROFILE, with --privileged, we should do both. Added e2e run_apparmor_test.go Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'cmd/podman/common')
-rw-r--r--cmd/podman/common/create.go2
-rw-r--r--cmd/podman/common/specgen.go6
2 files changed, 3 insertions, 5 deletions
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go
index 46f78cdba..e248e621f 100644
--- a/cmd/podman/common/create.go
+++ b/cmd/podman/common/create.go
@@ -405,7 +405,7 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet {
)
createFlags.StringArrayVar(
&cf.SecurityOpt,
- "security-opt", containerConfig.SecurityOptions(),
+ "security-opt", []string{},
"Security Options",
)
createFlags.String(
diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go
index 731085731..e694317cc 100644
--- a/cmd/podman/common/specgen.go
+++ b/cmd/podman/common/specgen.go
@@ -512,10 +512,8 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
s.ContainerSecurityConfig.SelinuxOpts = append(s.ContainerSecurityConfig.SelinuxOpts, con[1])
s.Annotations[define.InspectAnnotationLabel] = strings.Join(s.ContainerSecurityConfig.SelinuxOpts, ",label=")
case "apparmor":
- if !c.Privileged {
- s.ContainerSecurityConfig.ApparmorProfile = con[1]
- s.Annotations[define.InspectAnnotationApparmor] = con[1]
- }
+ s.ContainerSecurityConfig.ApparmorProfile = con[1]
+ s.Annotations[define.InspectAnnotationApparmor] = con[1]
case "seccomp":
s.SeccompProfilePath = con[1]
s.Annotations[define.InspectAnnotationSeccomp] = con[1]