diff options
Diffstat (limited to 'libpod')
-rw-r--r-- | libpod/container_internal_linux.go | 12 | ||||
-rw-r--r-- | libpod/runtime.go | 5 |
2 files changed, 9 insertions, 8 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index c5e404155..f25f76092 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -25,7 +25,7 @@ import ( "github.com/containers/libpod/pkg/lookup" "github.com/containers/libpod/pkg/resolvconf" "github.com/containers/libpod/pkg/rootless" - "github.com/cyphar/filepath-securejoin" + securejoin "github.com/cyphar/filepath-securejoin" "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" @@ -188,11 +188,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } // Apply AppArmor checks and load the default profile if needed. - updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile) - if err != nil { - return nil, err + if !c.config.Privileged { + updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile) + if err != nil { + return nil, err + } + g.SetProcessApparmorProfile(updatedProfile) } - g.SetProcessApparmorProfile(updatedProfile) if err := c.makeBindMounts(); err != nil { return nil, err diff --git a/libpod/runtime.go b/libpod/runtime.go index def7ba639..1f8dd98b4 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -877,10 +877,9 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (err error) { // TODO: we can't close the FD in this lock, so we should keep it around // and use it to lock important operations aliveLock.Lock() - locked := true doRefresh := false defer func() { - if locked { + if aliveLock.Locked() { aliveLock.Unlock() } }() @@ -891,7 +890,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (err error) { // no containers running. Create immediately a namespace, as // we will need to access the storage. if os.Geteuid() != 0 { - aliveLock.Unlock() + aliveLock.Unlock() // Unlock to avoid deadlock as BecomeRootInUserNS will reexec. pausePid, err := util.GetRootlessPauseProcessPidPath() if err != nil { return errors.Wrapf(err, "could not get pause process pid file path") |