diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2020-07-15 16:33:24 -0400 |
---|---|---|
committer | Matthew Heon <matthew.heon@pm.me> | 2020-07-22 13:14:15 -0400 |
commit | cb603b8a3e4a4a1da194ed020caf270fa85f6f5b (patch) | |
tree | 10631dc3d3a556ad1f9d30481764f69216d9b4ce /pkg/specgen/generate/security.go | |
parent | 2d24487ba244e5cd900f6aecc5d8896e1354d1ee (diff) | |
download | podman-cb603b8a3e4a4a1da194ed020caf270fa85f6f5b.tar.gz podman-cb603b8a3e4a4a1da194ed020caf270fa85f6f5b.tar.bz2 podman-cb603b8a3e4a4a1da194ed020caf270fa85f6f5b.zip |
Support default profile for apparmor
Currently you can not apply an ApparmorProfile if you specify
--privileged. This patch will allow both to be specified
simultaniosly.
By default Apparmor should be disabled if the user
specifies --privileged, but if the user specifies --security apparmor:PROFILE,
with --privileged, we should do both.
Added e2e run_apparmor_test.go
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'pkg/specgen/generate/security.go')
-rw-r--r-- | pkg/specgen/generate/security.go | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index 70493cd5f..fcd1622f9 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -3,6 +3,7 @@ package generate import ( "strings" + "github.com/containers/common/pkg/apparmor" "github.com/containers/common/pkg/capabilities" "github.com/containers/common/pkg/config" "github.com/containers/libpod/v2/libpod" @@ -56,6 +57,28 @@ func setLabelOpts(s *specgen.SpecGenerator, runtime *libpod.Runtime, pidConfig s return nil } +func setupApparmor(s *specgen.SpecGenerator, rtc *config.Config, g *generate.Generator) error { + hasProfile := len(s.ApparmorProfile) > 0 + if !apparmor.IsEnabled() { + if hasProfile { + return errors.Errorf("Apparmor profile %q specified, but Apparmor is not enabled on this system", s.ApparmorProfile) + } + return nil + } + // If privileged and caller did not specify apparmor profiles return + if s.Privileged && !hasProfile { + return nil + } + if !hasProfile { + s.ApparmorProfile = rtc.Containers.ApparmorProfile + } + if len(s.ApparmorProfile) > 0 { + g.SetProcessApparmorProfile(s.ApparmorProfile) + } + + return nil +} + func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, newImage *image.Image, rtc *config.Config) error { var ( caplist []string @@ -105,6 +128,13 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, } } } + + g.SetProcessNoNewPrivileges(s.NoNewPrivileges) + + if err := setupApparmor(s, rtc, g); err != nil { + return err + } + configSpec := g.Config configSpec.Process.Capabilities.Bounding = caplist |