aboutsummaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_internal_linux.go12
-rw-r--r--libpod/runtime.go5
2 files changed, 9 insertions, 8 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index c5e404155..f25f76092 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -25,7 +25,7 @@ import (
"github.com/containers/libpod/pkg/lookup"
"github.com/containers/libpod/pkg/resolvconf"
"github.com/containers/libpod/pkg/rootless"
- "github.com/cyphar/filepath-securejoin"
+ securejoin "github.com/cyphar/filepath-securejoin"
"github.com/opencontainers/runc/libcontainer/user"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
@@ -188,11 +188,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
// Apply AppArmor checks and load the default profile if needed.
- updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile)
- if err != nil {
- return nil, err
+ if !c.config.Privileged {
+ updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile)
+ if err != nil {
+ return nil, err
+ }
+ g.SetProcessApparmorProfile(updatedProfile)
}
- g.SetProcessApparmorProfile(updatedProfile)
if err := c.makeBindMounts(); err != nil {
return nil, err
diff --git a/libpod/runtime.go b/libpod/runtime.go
index def7ba639..1f8dd98b4 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -877,10 +877,9 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (err error) {
// TODO: we can't close the FD in this lock, so we should keep it around
// and use it to lock important operations
aliveLock.Lock()
- locked := true
doRefresh := false
defer func() {
- if locked {
+ if aliveLock.Locked() {
aliveLock.Unlock()
}
}()
@@ -891,7 +890,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (err error) {
// no containers running. Create immediately a namespace, as
// we will need to access the storage.
if os.Geteuid() != 0 {
- aliveLock.Unlock()
+ aliveLock.Unlock() // Unlock to avoid deadlock as BecomeRootInUserNS will reexec.
pausePid, err := util.GetRootlessPauseProcessPidPath()
if err != nil {
return errors.Wrapf(err, "could not get pause process pid file path")