diff options
author | Valentin Rothberg <vrothberg@suse.com> | 2018-07-09 08:50:52 +0200 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-07-11 16:36:24 +0000 |
commit | 06ab343bd7c113fe761631142dde4829e8aa4d40 (patch) | |
tree | 0f38b5dd752683d59f9cfe335b748bf759a76a9c /cmd/podman | |
parent | 84cfdb20617ac7a5a1138375599e28cdad26b824 (diff) | |
download | podman-06ab343bd7c113fe761631142dde4829e8aa4d40.tar.gz podman-06ab343bd7c113fe761631142dde4829e8aa4d40.tar.bz2 podman-06ab343bd7c113fe761631142dde4829e8aa4d40.zip |
podman/libpod: add default AppArmor profile
Make users of libpod more secure by adding the libpod/apparmor package
to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor
come from github.com/moby/moby.
Also check if a specified AppArmor profile is actually loaded and throw
an error if necessary.
The default profile is loaded only on Linux builds with the `apparmor`
buildtag enabled.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1063
Approved by: rhatdan
Diffstat (limited to 'cmd/podman')
-rw-r--r-- | cmd/podman/create.go | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go index d61f85442..6a70e3f43 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -19,9 +19,11 @@ import ( "github.com/projectatomic/libpod/libpod" "github.com/projectatomic/libpod/libpod/image" ann "github.com/projectatomic/libpod/pkg/annotations" + "github.com/projectatomic/libpod/pkg/apparmor" "github.com/projectatomic/libpod/pkg/inspect" cc "github.com/projectatomic/libpod/pkg/spec" "github.com/projectatomic/libpod/pkg/util" + libpodVersion "github.com/projectatomic/libpod/version" "github.com/sirupsen/logrus" "github.com/urfave/cli" ) @@ -194,6 +196,56 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error { } } + if config.ApparmorProfile == "" { + // Unless specified otherwise, make sure that the default AppArmor + // profile is installed. To avoid redundantly loading the profile + // on each invocation, check if it's loaded before installing it. + // Suffix the profile with the current libpod version to allow + // loading the new, potentially updated profile after an update. + profile := fmt.Sprintf("%s-%s", apparmor.DefaultLibpodProfile, libpodVersion.Version) + + loadProfile := func() error { + isLoaded, err := apparmor.IsLoaded(profile) + if err != nil { + return err + } + if !isLoaded { + err = apparmor.InstallDefault(profile) + if err != nil { + return err + } + + } + return nil + } + + if err := loadProfile(); err != nil { + switch err { + case apparmor.ErrApparmorUnsupported: + // do not set the profile when AppArmor isn't supported + logrus.Debugf("AppArmor is not supported: setting empty profile") + default: + return err + } + } else { + logrus.Infof("Sucessfully loaded AppAmor profile '%s'", profile) + config.ApparmorProfile = profile + } + } else { + isLoaded, err := apparmor.IsLoaded(config.ApparmorProfile) + if err != nil { + switch err { + case apparmor.ErrApparmorUnsupported: + return fmt.Errorf("profile specified but AppArmor is not supported") + default: + return fmt.Errorf("error checking if AppArmor profile is loaded: %v", err) + } + } + if !isLoaded { + return fmt.Errorf("specified AppArmor profile '%s' is not loaded", config.ApparmorProfile) + } + } + if config.SeccompProfilePath == "" { if _, err := os.Stat(libpod.SeccompOverridePath); err == nil { config.SeccompProfilePath = libpod.SeccompOverridePath |