summaryrefslogtreecommitdiff
path: root/cmd
diff options
context:
space:
mode:
authorValentin Rothberg <vrothberg@suse.com>2018-07-09 08:50:52 +0200
committerAtomic Bot <atomic-devel@projectatomic.io>2018-07-11 16:36:24 +0000
commit06ab343bd7c113fe761631142dde4829e8aa4d40 (patch)
tree0f38b5dd752683d59f9cfe335b748bf759a76a9c /cmd
parent84cfdb20617ac7a5a1138375599e28cdad26b824 (diff)
downloadpodman-06ab343bd7c113fe761631142dde4829e8aa4d40.tar.gz
podman-06ab343bd7c113fe761631142dde4829e8aa4d40.tar.bz2
podman-06ab343bd7c113fe761631142dde4829e8aa4d40.zip
podman/libpod: add default AppArmor profile
Make users of libpod more secure by adding the libpod/apparmor package to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor come from github.com/moby/moby. Also check if a specified AppArmor profile is actually loaded and throw an error if necessary. The default profile is loaded only on Linux builds with the `apparmor` buildtag enabled. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1063 Approved by: rhatdan
Diffstat (limited to 'cmd')
-rw-r--r--cmd/podman/create.go52
1 files changed, 52 insertions, 0 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index d61f85442..6a70e3f43 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -19,9 +19,11 @@ import (
"github.com/projectatomic/libpod/libpod"
"github.com/projectatomic/libpod/libpod/image"
ann "github.com/projectatomic/libpod/pkg/annotations"
+ "github.com/projectatomic/libpod/pkg/apparmor"
"github.com/projectatomic/libpod/pkg/inspect"
cc "github.com/projectatomic/libpod/pkg/spec"
"github.com/projectatomic/libpod/pkg/util"
+ libpodVersion "github.com/projectatomic/libpod/version"
"github.com/sirupsen/logrus"
"github.com/urfave/cli"
)
@@ -194,6 +196,56 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
}
}
+ if config.ApparmorProfile == "" {
+ // Unless specified otherwise, make sure that the default AppArmor
+ // profile is installed. To avoid redundantly loading the profile
+ // on each invocation, check if it's loaded before installing it.
+ // Suffix the profile with the current libpod version to allow
+ // loading the new, potentially updated profile after an update.
+ profile := fmt.Sprintf("%s-%s", apparmor.DefaultLibpodProfile, libpodVersion.Version)
+
+ loadProfile := func() error {
+ isLoaded, err := apparmor.IsLoaded(profile)
+ if err != nil {
+ return err
+ }
+ if !isLoaded {
+ err = apparmor.InstallDefault(profile)
+ if err != nil {
+ return err
+ }
+
+ }
+ return nil
+ }
+
+ if err := loadProfile(); err != nil {
+ switch err {
+ case apparmor.ErrApparmorUnsupported:
+ // do not set the profile when AppArmor isn't supported
+ logrus.Debugf("AppArmor is not supported: setting empty profile")
+ default:
+ return err
+ }
+ } else {
+ logrus.Infof("Sucessfully loaded AppAmor profile '%s'", profile)
+ config.ApparmorProfile = profile
+ }
+ } else {
+ isLoaded, err := apparmor.IsLoaded(config.ApparmorProfile)
+ if err != nil {
+ switch err {
+ case apparmor.ErrApparmorUnsupported:
+ return fmt.Errorf("profile specified but AppArmor is not supported")
+ default:
+ return fmt.Errorf("error checking if AppArmor profile is loaded: %v", err)
+ }
+ }
+ if !isLoaded {
+ return fmt.Errorf("specified AppArmor profile '%s' is not loaded", config.ApparmorProfile)
+ }
+ }
+
if config.SeccompProfilePath == "" {
if _, err := os.Stat(libpod.SeccompOverridePath); err == nil {
config.SeccompProfilePath = libpod.SeccompOverridePath