From fe928c6b429ff25b9cc14bcf45db976db223ee34 Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Thu, 23 May 2019 13:12:56 +0200 Subject: apparmor: don't load/set profile in privileged mode Commit 27f9e23a0b9e already prevents setting the profile when creating the spec but we also need to avoid loading and setting the profile when creating the container. Fixes: #3112 Signed-off-by: Valentin Rothberg --- libpod/container_internal_linux.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'libpod') diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index c5e404155..f25f76092 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -25,7 +25,7 @@ import ( "github.com/containers/libpod/pkg/lookup" "github.com/containers/libpod/pkg/resolvconf" "github.com/containers/libpod/pkg/rootless" - "github.com/cyphar/filepath-securejoin" + securejoin "github.com/cyphar/filepath-securejoin" "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" @@ -188,11 +188,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } // Apply AppArmor checks and load the default profile if needed. - updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile) - if err != nil { - return nil, err + if !c.config.Privileged { + updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile) + if err != nil { + return nil, err + } + g.SetProcessApparmorProfile(updatedProfile) } - g.SetProcessApparmorProfile(updatedProfile) if err := c.makeBindMounts(); err != nil { return nil, err -- cgit v1.2.3-54-g00ecf