Make the profile configurable
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
This commit is contained in:
Xianglin Gao
parent
1f863846f5
commit
26645c90ac
6 changed files with 43 additions and 25 deletions
|
|
@ -186,7 +186,7 @@ func (s *Server) createSandboxContainer(containerID string, containerName string
|
|||
|
||||
// set this container's apparmor profile if it is set by sandbox
|
||||
if s.appArmorEnabled {
|
||||
appArmorProfileName := apparmor.GetAppArmorProfileName(sb.annotations, metadata.GetName())
|
||||
appArmorProfileName := s.getAppArmorProfileName(sb.annotations, metadata.GetName())
|
||||
if appArmorProfileName != "" {
|
||||
specgen.SetProcessApparmorProfile(appArmorProfileName)
|
||||
}
|
||||
|
|
@ -383,3 +383,20 @@ func (s *Server) generateContainerIDandName(podName string, name string, attempt
|
|||
}
|
||||
return id, name, err
|
||||
}
|
||||
|
||||
// getAppArmorProfileName gets the profile name for the given container.
|
||||
func (s *Server) getAppArmorProfileName(annotations map[string]string, ctrName string) string {
|
||||
profile := apparmor.GetProfileNameFromPodAnnotations(annotations, ctrName)
|
||||
|
||||
if profile == "" {
|
||||
return ""
|
||||
}
|
||||
|
||||
if profile == apparmor.ProfileRuntimeDefault {
|
||||
// If the value is runtime/default, then return default profile.
|
||||
return s.appArmorProfile
|
||||
}
|
||||
|
||||
profileName := strings.TrimPrefix(profile, apparmor.ProfileNamePrefix)
|
||||
return profileName
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue