From cb603b8a3e4a4a1da194ed020caf270fa85f6f5b Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Wed, 15 Jul 2020 16:33:24 -0400
Subject: Support default profile for apparmor

Currently you can not apply an ApparmorProfile if you specify
--privileged.  This patch will allow both to be specified
simultaniosly.

By default Apparmor should be disabled if the user
specifies --privileged, but if the user specifies --security apparmor:PROFILE,
with --privileged, we should do both.

Added e2e run_apparmor_test.go

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 libpod/container_internal_linux.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libpod')

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index cb70aea62..018e2d5a4 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -244,7 +244,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	}
 
 	// Apply AppArmor checks and load the default profile if needed.
-	if !c.config.Privileged {
+	if len(c.config.Spec.Process.ApparmorProfile) > 0 {
 		updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile)
 		if err != nil {
 			return nil, err
-- 
cgit v1.2.3-54-g00ecf