vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

add default apparmor profile

Browse source 
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
This commit is contained in:
Xianglin Gao 2016-11-29 20:34:15 +08:00
parent 71b80591e3
commit 1f863846f5
9 changed files with 410 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

9
server/container_create.go
View file

@ -12,6 +12,7 @@ import (
"github.com/Sirupsen/logrus"
"github.com/docker/docker/pkg/stringid"
"github.com/kubernetes-incubator/cri-o/oci"
"github.com/kubernetes-incubator/cri-o/server/apparmor"
"github.com/kubernetes-incubator/cri-o/server/seccomp"
"github.com/kubernetes-incubator/cri-o/utils"
"github.com/opencontainers/runc/libcontainer/label"
@ -184,9 +185,11 @@ func (s *Server) createSandboxContainer(containerID string, containerName string
}
// set this container's apparmor profile if it is set by sandbox
appArmorProfileName := GetAppArmorProfileName(sb.annotations, metadata.GetName())
if appArmorProfileName != "" {
specgen.SetProcessApparmorProfile(appArmorProfileName)
if s.appArmorEnabled {
appArmorProfileName := apparmor.GetAppArmorProfileName(sb.annotations, metadata.GetName())
if appArmorProfileName != "" {
specgen.SetProcessApparmorProfile(appArmorProfileName)
}
}
if containerConfig.GetLinux().GetSecurityContext().GetPrivileged() {