aboutsummaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2020-07-15 16:33:24 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2020-07-22 06:27:20 -0400
commit4c4a00f63ea5bc7956bf40be457bf86643575dce (patch)
treea35b4bb94a1c5eb93473bec40d7f9794c59e3d04 /pkg
parent59bad8bf7176398dbab6b59867b17567691ffda3 (diff)
downloadpodman-4c4a00f63ea5bc7956bf40be457bf86643575dce.tar.gz
podman-4c4a00f63ea5bc7956bf40be457bf86643575dce.tar.bz2
podman-4c4a00f63ea5bc7956bf40be457bf86643575dce.zip
Support default profile for apparmor
Currently you can not apply an ApparmorProfile if you specify --privileged. This patch will allow both to be specified simultaniosly. By default Apparmor should be disabled if the user specifies --privileged, but if the user specifies --security apparmor:PROFILE, with --privileged, we should do both. Added e2e run_apparmor_test.go Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r--pkg/specgen/container_validate.go4
-rw-r--r--pkg/specgen/generate/oci.go7
-rw-r--r--pkg/specgen/generate/security.go30
3 files changed, 30 insertions, 11 deletions
diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go
index 622313a04..eddc4ad5d 100644
--- a/pkg/specgen/container_validate.go
+++ b/pkg/specgen/container_validate.go
@@ -81,10 +81,6 @@ func (s *SpecGenerator) Validate() error {
if len(s.CapAdd) > 0 && s.Privileged {
return exclusiveOptions("CapAdd", "privileged")
}
- // apparmor and privileged are exclusive
- if len(s.ApparmorProfile) > 0 && s.Privileged {
- return exclusiveOptions("AppArmorProfile", "privileged")
- }
// userns and idmappings conflict
if s.UserNS.IsPrivate() && s.IDMappings == nil {
return errors.Wrap(ErrInvalidSpecConfig, "IDMappings are required when not creating a User namespace")
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 4953735b1..f279aac1c 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -285,13 +285,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
}
}
- // SECURITY OPTS
- g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
-
- if !s.Privileged {
- g.SetProcessApparmorProfile(s.ApparmorProfile)
- }
-
BlockAccessToKernelFilesystems(s.Privileged, s.PidNS.IsHost(), &g)
for name, val := range s.Env {
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 70493cd5f..fcd1622f9 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -3,6 +3,7 @@ package generate
import (
"strings"
+ "github.com/containers/common/pkg/apparmor"
"github.com/containers/common/pkg/capabilities"
"github.com/containers/common/pkg/config"
"github.com/containers/libpod/v2/libpod"
@@ -56,6 +57,28 @@ func setLabelOpts(s *specgen.SpecGenerator, runtime *libpod.Runtime, pidConfig s
return nil
}
+func setupApparmor(s *specgen.SpecGenerator, rtc *config.Config, g *generate.Generator) error {
+ hasProfile := len(s.ApparmorProfile) > 0
+ if !apparmor.IsEnabled() {
+ if hasProfile {
+ return errors.Errorf("Apparmor profile %q specified, but Apparmor is not enabled on this system", s.ApparmorProfile)
+ }
+ return nil
+ }
+ // If privileged and caller did not specify apparmor profiles return
+ if s.Privileged && !hasProfile {
+ return nil
+ }
+ if !hasProfile {
+ s.ApparmorProfile = rtc.Containers.ApparmorProfile
+ }
+ if len(s.ApparmorProfile) > 0 {
+ g.SetProcessApparmorProfile(s.ApparmorProfile)
+ }
+
+ return nil
+}
+
func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, newImage *image.Image, rtc *config.Config) error {
var (
caplist []string
@@ -105,6 +128,13 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
}
}
}
+
+ g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
+
+ if err := setupApparmor(s, rtc, g); err != nil {
+ return err
+ }
+
configSpec := g.Config
configSpec.Process.Capabilities.Bounding = caplist