From 06ab343bd7c113fe761631142dde4829e8aa4d40 Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Mon, 9 Jul 2018 08:50:52 +0200 Subject: podman/libpod: add default AppArmor profile Make users of libpod more secure by adding the libpod/apparmor package to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor come from github.com/moby/moby. Also check if a specified AppArmor profile is actually loaded and throw an error if necessary. The default profile is loaded only on Linux builds with the `apparmor` buildtag enabled. Signed-off-by: Valentin Rothberg Closes: #1063 Approved by: rhatdan --- hack/dind | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100755 hack/dind (limited to 'hack/dind') diff --git a/hack/dind b/hack/dind new file mode 100755 index 000000000..3254f9dbe --- /dev/null +++ b/hack/dind @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +set -e + +# DinD: a wrapper script which allows docker to be run inside a docker container. +# Original version by Jerome Petazzoni +# See the blog post: https://blog.docker.com/2013/09/docker-can-now-run-within-docker/ +# +# This script should be executed inside a docker container in privileged mode +# ('docker run --privileged', introduced in docker 0.6). + +# Usage: dind CMD [ARG...] + +# apparmor sucks and Docker needs to know that it's in a container (c) @tianon +export container=docker + +if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then + mount -t securityfs none /sys/kernel/security || { + echo >&2 'Could not mount /sys/kernel/security.' + echo >&2 'AppArmor detection and --privileged mode might break.' + } +fi + +# Mount /tmp (conditionally) +if ! mountpoint -q /tmp; then + mount -t tmpfs none /tmp +fi + +if [ $# -gt 0 ]; then + exec "$@" +fi + +echo >&2 'ERROR: No command specified.' +echo >&2 'You probably want to run hack/make.sh, or maybe a shell?' -- cgit v1.2.3-54-g00ecf