diff options
Diffstat (limited to 'cmd/podman')
-rw-r--r-- | cmd/podman/create.go | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go index d61f85442..6a70e3f43 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -19,9 +19,11 @@ import ( "github.com/projectatomic/libpod/libpod" "github.com/projectatomic/libpod/libpod/image" ann "github.com/projectatomic/libpod/pkg/annotations" + "github.com/projectatomic/libpod/pkg/apparmor" "github.com/projectatomic/libpod/pkg/inspect" cc "github.com/projectatomic/libpod/pkg/spec" "github.com/projectatomic/libpod/pkg/util" + libpodVersion "github.com/projectatomic/libpod/version" "github.com/sirupsen/logrus" "github.com/urfave/cli" ) @@ -194,6 +196,56 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error { } } + if config.ApparmorProfile == "" { + // Unless specified otherwise, make sure that the default AppArmor + // profile is installed. To avoid redundantly loading the profile + // on each invocation, check if it's loaded before installing it. + // Suffix the profile with the current libpod version to allow + // loading the new, potentially updated profile after an update. + profile := fmt.Sprintf("%s-%s", apparmor.DefaultLibpodProfile, libpodVersion.Version) + + loadProfile := func() error { + isLoaded, err := apparmor.IsLoaded(profile) + if err != nil { + return err + } + if !isLoaded { + err = apparmor.InstallDefault(profile) + if err != nil { + return err + } + + } + return nil + } + + if err := loadProfile(); err != nil { + switch err { + case apparmor.ErrApparmorUnsupported: + // do not set the profile when AppArmor isn't supported + logrus.Debugf("AppArmor is not supported: setting empty profile") + default: + return err + } + } else { + logrus.Infof("Sucessfully loaded AppAmor profile '%s'", profile) + config.ApparmorProfile = profile + } + } else { + isLoaded, err := apparmor.IsLoaded(config.ApparmorProfile) + if err != nil { + switch err { + case apparmor.ErrApparmorUnsupported: + return fmt.Errorf("profile specified but AppArmor is not supported") + default: + return fmt.Errorf("error checking if AppArmor profile is loaded: %v", err) + } + } + if !isLoaded { + return fmt.Errorf("specified AppArmor profile '%s' is not loaded", config.ApparmorProfile) + } + } + if config.SeccompProfilePath == "" { if _, err := os.Stat(libpod.SeccompOverridePath); err == nil { config.SeccompProfilePath = libpod.SeccompOverridePath |