From edb285d17675061832aceaf72021b87aba149438 Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Wed, 9 Jan 2019 14:54:58 +0100 Subject: apparmor: apply default profile at container initialization Apply the default AppArmor profile at container initialization to cover all possible code paths (i.e., podman-{start,run}) before executing the runtime. This allows moving most of the logic into pkg/apparmor. Also make the loading and application of the default AppArmor profile versio-indepenent by checking for the `libpod-default-` prefix and over-writing the profile in the run-time spec if needed. The intitial run-time spec of the container differs a bit from the applied one when having started the container, which results in displaying a potentially outdated AppArmor profile when inspecting a container. To fix that, load the container config from the file system if present and use it to display the data. Fixes: #2107 Signed-off-by: Valentin Rothberg --- pkg/apparmor/apparmor_unsupported.go | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'pkg/apparmor/apparmor_unsupported.go') diff --git a/pkg/apparmor/apparmor_unsupported.go b/pkg/apparmor/apparmor_unsupported.go index df1336b07..b2b4de5f5 100644 --- a/pkg/apparmor/apparmor_unsupported.go +++ b/pkg/apparmor/apparmor_unsupported.go @@ -2,19 +2,25 @@ package apparmor -// IsEnabled returns true if AppArmor is enabled on the host. +// IsEnabled dummy. func IsEnabled() bool { return false } -// InstallDefault generates a default profile in a temp directory determined by -// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'. +// InstallDefault dummy. func InstallDefault(name string) error { return ErrApparmorUnsupported } -// IsLoaded checks if a profile with the given name has been loaded into the -// kernel. +// IsLoaded dummy. func IsLoaded(name string) (bool, error) { return false, ErrApparmorUnsupported } + +// CheckProfileAndLoadDefault dummy. +func CheckProfileAndLoadDefault(name string) (string, error) { + if name == "" { + return "", nil + } + return "", ErrApparmorUnsupported +} -- cgit v1.2.3-54-g00ecf