Make the profile configurable
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
This commit is contained in:
Xianglin Gao
parent
1f863846f5
commit
26645c90ac
6 changed files with 43 additions and 25 deletions
|
|
@ -57,24 +57,6 @@ func IsEnabled() bool {
|
|||
return apparmor.IsEnabled()
|
||||
}
|
||||
|
||||
// GetAppArmorProfileName gets the profile name for the given container.
|
||||
func GetAppArmorProfileName(annotations map[string]string, ctrName string) string {
|
||||
profile := GetProfileNameFromPodAnnotations(annotations, ctrName)
|
||||
|
||||
if profile == "" {
|
||||
return ""
|
||||
}
|
||||
|
||||
if profile == ProfileRuntimeDefault {
|
||||
// If the value is runtime/default, then return default profile.
|
||||
logrus.Infof("get default profile name")
|
||||
return defaultApparmorProfile
|
||||
}
|
||||
|
||||
profileName := strings.TrimPrefix(profile, ProfileNamePrefix)
|
||||
return profileName
|
||||
}
|
||||
|
||||
// GetProfileNameFromPodAnnotations gets the name of the profile to use with container from
|
||||
// pod annotations
|
||||
func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
|
||||
|
|
|
|||
|
|
@ -68,6 +68,10 @@ type RuntimeConfig struct {
|
|||
// SeccompProfile is the seccomp json profile path which is used as the
|
||||
// default for the runtime.
|
||||
SeccompProfile string `toml:"seccomp_profile"`
|
||||
|
||||
// ApparmorProfile is the apparmor profile name which is used as the
|
||||
// default for the runtime.
|
||||
ApparmorProfile string `toml:"apparmor_profile"`
|
||||
}
|
||||
|
||||
// ImageConfig represents the "ocid.image" TOML config table.
|
||||
|
|
|
|||
|
|
@ -186,7 +186,7 @@ func (s *Server) createSandboxContainer(containerID string, containerName string
|
|||
|
||||
// set this container's apparmor profile if it is set by sandbox
|
||||
if s.appArmorEnabled {
|
||||
appArmorProfileName := apparmor.GetAppArmorProfileName(sb.annotations, metadata.GetName())
|
||||
appArmorProfileName := s.getAppArmorProfileName(sb.annotations, metadata.GetName())
|
||||
if appArmorProfileName != "" {
|
||||
specgen.SetProcessApparmorProfile(appArmorProfileName)
|
||||
}
|
||||
|
|
@ -383,3 +383,20 @@ func (s *Server) generateContainerIDandName(podName string, name string, attempt
|
|||
}
|
||||
return id, name, err
|
||||
}
|
||||
|
||||
// getAppArmorProfileName gets the profile name for the given container.
|
||||
func (s *Server) getAppArmorProfileName(annotations map[string]string, ctrName string) string {
|
||||
profile := apparmor.GetProfileNameFromPodAnnotations(annotations, ctrName)
|
||||
|
||||
if profile == "" {
|
||||
return ""
|
||||
}
|
||||
|
||||
if profile == apparmor.ProfileRuntimeDefault {
|
||||
// If the value is runtime/default, then return default profile.
|
||||
return s.appArmorProfile
|
||||
}
|
||||
|
||||
profileName := strings.TrimPrefix(profile, apparmor.ProfileNamePrefix)
|
||||
return profileName
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,6 +42,7 @@ type Server struct {
|
|||
seccompProfile seccomp.Seccomp
|
||||
|
||||
appArmorEnabled bool
|
||||
appArmorProfile string
|
||||
}
|
||||
|
||||
func (s *Server) loadContainer(id string) error {
|
||||
|
|
@ -300,6 +301,7 @@ func New(config *Config) (*Server, error) {
|
|||
if s.appArmorEnabled {
|
||||
apparmor.InstallDefaultAppArmorProfile()
|
||||
}
|
||||
s.appArmorProfile = config.ApparmorProfile
|
||||
|
||||
s.podIDIndex = truncindex.NewTruncIndex([]string{})
|
||||
s.podNameIndex = registrar.NewRegistrar()
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue