diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2019-01-10 03:34:54 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-01-10 03:34:54 -0800 |
| commit | 64627d910b2113fa2de6b949d846af379e75e305 (patch) | |
| tree | d555591919d240a25827eb3737446260c04496e0 /libpod | |
| parent | 0f6535cf6b4bfac265983c2fdd3482310ab4f39b (diff) | |
| parent | edb285d17675061832aceaf72021b87aba149438 (diff) | |
| download | podman-64627d910b2113fa2de6b949d846af379e75e305.tar.gz podman-64627d910b2113fa2de6b949d846af379e75e305.tar.bz2 podman-64627d910b2113fa2de6b949d846af379e75e305.zip | |
Merge pull request #2114 from vrothberg/issue-2107
apparmor: apply default profile at container initialization
Diffstat (limited to 'libpod')
| -rw-r--r-- | libpod/container.go | 26 | ||||
| -rw-r--r-- | libpod/container_inspect.go | 5 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 8 |
3 files changed, 38 insertions, 1 deletions
diff --git a/libpod/container.go b/libpod/container.go index d0eb6a992..026eb1c4f 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -1,7 +1,9 @@ package libpod import ( + "encoding/json" "fmt" + "io/ioutil" "net" "os" "path/filepath" @@ -407,6 +409,30 @@ func (c *Container) Spec() *spec.Spec { return returnSpec } +// specFromState returns the unmarshalled json config of the container. If the +// config does not exist (e.g., because the container was never started) return +// the spec from the config. +func (c *Container) specFromState() (*spec.Spec, error) { + spec := c.config.Spec + + if f, err := os.Open(c.state.ConfigPath); err == nil { + content, err := ioutil.ReadAll(f) + if err != nil { + return nil, errors.Wrapf(err, "error reading container config") + } + if err := json.Unmarshal([]byte(content), &spec); err != nil { + return nil, errors.Wrapf(err, "error unmarshalling container config") + } + } else { + // ignore when the file does not exist + if !os.IsNotExist(err) { + return nil, errors.Wrapf(err, "error opening container config") + } + } + + return spec, nil +} + // ID returns the container's ID func (c *Container) ID() string { return c.config.ID diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index 06a0c9f32..e2730c282 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -12,7 +12,10 @@ import ( func (c *Container) getContainerInspectData(size bool, driverData *inspect.Data) (*inspect.ContainerInspectData, error) { config := c.config runtimeInfo := c.state - spec := c.config.Spec + spec, err := c.specFromState() + if err != nil { + return nil, err + } // Process is allowed to be nil in the spec args := []string{} diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 582a4c3e7..2f03d45ea 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -20,6 +20,7 @@ import ( cnitypes "github.com/containernetworking/cni/pkg/types/current" "github.com/containernetworking/plugins/pkg/ns" crioAnnotations "github.com/containers/libpod/pkg/annotations" + "github.com/containers/libpod/pkg/apparmor" "github.com/containers/libpod/pkg/criu" "github.com/containers/libpod/pkg/lookup" "github.com/containers/libpod/pkg/resolvconf" @@ -185,6 +186,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } } + // Apply AppArmor checks and load the default profile if needed. + updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile) + if err != nil { + return nil, err + } + g.SetProcessApparmorProfile(updatedProfile) + if err := c.makeBindMounts(); err != nil { return nil, err } |