vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #1189 from runcom/fix-apparmor-master

Browse source 
container_create: fix apparmor from container config
This commit is contained in:
Mrunal Patel 2017-11-30 08:56:46 -10:00 committed by GitHub
commit 2cae11ba35
4 changed files with 5 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

8
server/container_create.go
View file

@ -740,7 +740,8 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
// set this container's apparmor profile if it is set by sandbox
if s.appArmorEnabled && !privileged {
appArmorProfileName := s.getAppArmorProfileName(sb.Annotations(), metadata.Name)
appArmorProfileName := s.getAppArmorProfileName(containerConfig.GetLinux().GetSecurityContext().GetApparmorProfile())
if appArmorProfileName != "" {
// reload default apparmor profile if it is unloaded.
if s.appArmorProfile == apparmor.DefaultApparmorProfile {
@ -751,6 +752,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
specgen.SetProcessApparmorProfile(appArmorProfileName)
}
}
logPath := containerConfig.LogPath
@ -1239,9 +1241,7 @@ func (s *Server) setupSeccomp(specgen *generate.Generator, profile string) error
}
// getAppArmorProfileName gets the profile name for the given container.
func (s *Server) getAppArmorProfileName(annotations map[string]string, ctrName string) string {
profile := apparmor.GetProfileNameFromPodAnnotations(annotations, ctrName)
func (s *Server) getAppArmorProfileName(profile string) string {
if profile == "" {
return ""
}