diff --git a/cmd/server/config.go b/cmd/server/config.go index 83ce9fa6..c4c3fe5b 100644 --- a/cmd/server/config.go +++ b/cmd/server/config.go @@ -11,10 +11,11 @@ import ( ) const ( - ocidRoot = "/var/lib/ocid" - conmonPath = "/usr/libexec/ocid/conmon" - pausePath = "/usr/libexec/ocid/pause" - seccompProfilePath = "/etc/ocid/seccomp.json" + ocidRoot = "/var/lib/ocid" + conmonPath = "/usr/libexec/ocid/conmon" + pausePath = "/usr/libexec/ocid/pause" + seccompProfilePath = "/etc/ocid/seccomp.json" + apparmorProfileName = "crio-default" ) var commentedConfigTemplate = template.Must(template.New("config").Parse(` @@ -64,6 +65,10 @@ selinux = {{ .SELinux }} # default for the runtime. seccomp_profile = "{{ .SeccompProfile }}" +# apparmor_profile is the apparmor profile name which is used as the +# default for the runtime. +apparmor_profile = "{{ .ApparmorProfile }}" + # The "ocid.image" table contains settings pertaining to the # management of OCI images. [ocid.image] @@ -94,8 +99,9 @@ func DefaultConfig() *server.Config { ConmonEnv: []string{ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", }, - SELinux: selinux.SelinuxEnabled(), - SeccompProfile: seccompProfilePath, + SELinux: selinux.SelinuxEnabled(), + SeccompProfile: seccompProfilePath, + ApparmorProfile: apparmorProfileName, }, ImageConfig: server.ImageConfig{ Pause: pausePath, diff --git a/cmd/server/main.go b/cmd/server/main.go index 518eb997..6774feaf 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -59,6 +59,9 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error { if ctx.GlobalIsSet("seccomp-profile") { config.SeccompProfile = ctx.GlobalString("seccomp-profile") } + if ctx.GlobalIsSet("apparmor-profile") { + config.ApparmorProfile = ctx.GlobalString("apparmor-profile") + } return nil } @@ -135,6 +138,10 @@ func main() { Name: "seccomp-profile", Usage: "default seccomp profile path", }, + cli.StringFlag{ + Name: "apparmor-profile", + Usage: "default apparmor profile name (default: \"crio-default\")", + }, cli.BoolFlag{ Name: "selinux", Usage: "enable selinux support", diff --git a/server/apparmor/apparmor.go b/server/apparmor/apparmor.go index 46821c30..f38c1bb3 100644 --- a/server/apparmor/apparmor.go +++ b/server/apparmor/apparmor.go @@ -57,24 +57,6 @@ func IsEnabled() bool { return apparmor.IsEnabled() } -// GetAppArmorProfileName gets the profile name for the given container. -func GetAppArmorProfileName(annotations map[string]string, ctrName string) string { - profile := GetProfileNameFromPodAnnotations(annotations, ctrName) - - if profile == "" { - return "" - } - - if profile == ProfileRuntimeDefault { - // If the value is runtime/default, then return default profile. - logrus.Infof("get default profile name") - return defaultApparmorProfile - } - - profileName := strings.TrimPrefix(profile, ProfileNamePrefix) - return profileName -} - // GetProfileNameFromPodAnnotations gets the name of the profile to use with container from // pod annotations func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string { diff --git a/server/config.go b/server/config.go index 12e143c7..75e93aa3 100644 --- a/server/config.go +++ b/server/config.go @@ -68,6 +68,10 @@ type RuntimeConfig struct { // SeccompProfile is the seccomp json profile path which is used as the // default for the runtime. SeccompProfile string `toml:"seccomp_profile"` + + // ApparmorProfile is the apparmor profile name which is used as the + // default for the runtime. + ApparmorProfile string `toml:"apparmor_profile"` } // ImageConfig represents the "ocid.image" TOML config table. diff --git a/server/container_create.go b/server/container_create.go index dbd17644..9c0bd07c 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -186,7 +186,7 @@ func (s *Server) createSandboxContainer(containerID string, containerName string // set this container's apparmor profile if it is set by sandbox if s.appArmorEnabled { - appArmorProfileName := apparmor.GetAppArmorProfileName(sb.annotations, metadata.GetName()) + appArmorProfileName := s.getAppArmorProfileName(sb.annotations, metadata.GetName()) if appArmorProfileName != "" { specgen.SetProcessApparmorProfile(appArmorProfileName) } @@ -383,3 +383,20 @@ func (s *Server) generateContainerIDandName(podName string, name string, attempt } return id, name, err } + +// getAppArmorProfileName gets the profile name for the given container. +func (s *Server) getAppArmorProfileName(annotations map[string]string, ctrName string) string { + profile := apparmor.GetProfileNameFromPodAnnotations(annotations, ctrName) + + if profile == "" { + return "" + } + + if profile == apparmor.ProfileRuntimeDefault { + // If the value is runtime/default, then return default profile. + return s.appArmorProfile + } + + profileName := strings.TrimPrefix(profile, apparmor.ProfileNamePrefix) + return profileName +} diff --git a/server/server.go b/server/server.go index ad47b416..317b9499 100644 --- a/server/server.go +++ b/server/server.go @@ -42,6 +42,7 @@ type Server struct { seccompProfile seccomp.Seccomp appArmorEnabled bool + appArmorProfile string } func (s *Server) loadContainer(id string) error { @@ -300,6 +301,7 @@ func New(config *Config) (*Server, error) { if s.appArmorEnabled { apparmor.InstallDefaultAppArmorProfile() } + s.appArmorProfile = config.ApparmorProfile s.podIDIndex = truncindex.NewTruncIndex([]string{}) s.podNameIndex = registrar.NewRegistrar()