summaryrefslogtreecommitdiff
path: root/pkg/apparmor/apparmor.go
Commit message (Collapse)AuthorAge
* apparmor: apply default profile at container initializationValentin Rothberg2019-01-09
| | | | | | | | | | | | | | | | | | | Apply the default AppArmor profile at container initialization to cover all possible code paths (i.e., podman-{start,run}) before executing the runtime. This allows moving most of the logic into pkg/apparmor. Also make the loading and application of the default AppArmor profile versio-indepenent by checking for the `libpod-default-` prefix and over-writing the profile in the run-time spec if needed. The intitial run-time spec of the container differs a bit from the applied one when having started the container, which results in displaying a potentially outdated AppArmor profile when inspecting a container. To fix that, load the container config from the file system if present and use it to display the data. Fixes: #2107 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* pkg/apparmor: move data under Linux/apparmor buildtagsValentin Rothberg2018-08-14
| | | | | | | | | | Move all Linux-related data under the corresponding buildtags to reduce the memory footprint and speed up compilation for non-apparmor builds. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1262 Approved by: mheon
* podman/libpod: add default AppArmor profileValentin Rothberg2018-07-11
Make users of libpod more secure by adding the libpod/apparmor package to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor come from github.com/moby/moby. Also check if a specified AppArmor profile is actually loaded and throw an error if necessary. The default profile is loaded only on Linux builds with the `apparmor` buildtag enabled. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1063 Approved by: rhatdan