Merge pull request #1189 from runcom/fix-apparmor-master
container_create: fix apparmor from container config
This commit is contained in:
commit
2cae11ba35
4 changed files with 5 additions and 20 deletions
|
@ -3,10 +3,6 @@ package apparmor
|
||||||
const (
|
const (
|
||||||
// DefaultApparmorProfile is the name of default apparmor profile name.
|
// DefaultApparmorProfile is the name of default apparmor profile name.
|
||||||
DefaultApparmorProfile = "crio-default"
|
DefaultApparmorProfile = "crio-default"
|
||||||
|
|
||||||
// ContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container profile.
|
|
||||||
ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
|
|
||||||
|
|
||||||
// ProfileRuntimeDefault is he profile specifying the runtime default.
|
// ProfileRuntimeDefault is he profile specifying the runtime default.
|
||||||
ProfileRuntimeDefault = "runtime/default"
|
ProfileRuntimeDefault = "runtime/default"
|
||||||
// ProfileNamePrefix is the prefix for specifying profiles loaded on the node.
|
// ProfileNamePrefix is the prefix for specifying profiles loaded on the node.
|
||||||
|
|
|
@ -34,7 +34,7 @@ type profileData struct {
|
||||||
|
|
||||||
// EnsureDefaultApparmorProfile loads default apparmor profile, if it is not loaded.
|
// EnsureDefaultApparmorProfile loads default apparmor profile, if it is not loaded.
|
||||||
func EnsureDefaultApparmorProfile() error {
|
func EnsureDefaultApparmorProfile() error {
|
||||||
if apparmor.IsEnabled() {
|
if IsEnabled() {
|
||||||
loaded, err := IsLoaded(DefaultApparmorProfile)
|
loaded, err := IsLoaded(DefaultApparmorProfile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Could not check if %s AppArmor profile was loaded: %s", DefaultApparmorProfile, err)
|
return fmt.Errorf("Could not check if %s AppArmor profile was loaded: %s", DefaultApparmorProfile, err)
|
||||||
|
@ -59,12 +59,6 @@ func IsEnabled() bool {
|
||||||
return apparmor.IsEnabled()
|
return apparmor.IsEnabled()
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetProfileNameFromPodAnnotations gets the name of the profile to use with container from
|
|
||||||
// pod annotations
|
|
||||||
func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
|
|
||||||
return annotations[ContainerAnnotationKeyPrefix+containerName]
|
|
||||||
}
|
|
||||||
|
|
||||||
// InstallDefault generates a default profile in a temp directory determined by
|
// InstallDefault generates a default profile in a temp directory determined by
|
||||||
// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'.
|
// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'.
|
||||||
func InstallDefault(name string) error {
|
func InstallDefault(name string) error {
|
||||||
|
|
|
@ -11,8 +11,3 @@ func IsEnabled() bool {
|
||||||
func EnsureDefaultApparmorProfile() error {
|
func EnsureDefaultApparmorProfile() error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetProfileNameFromPodAnnotations dose nothing, when build without apparmor build tag.
|
|
||||||
func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
|
|
||||||
return ""
|
|
||||||
}
|
|
||||||
|
|
|
@ -740,7 +740,8 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
|
|
||||||
// set this container's apparmor profile if it is set by sandbox
|
// set this container's apparmor profile if it is set by sandbox
|
||||||
if s.appArmorEnabled && !privileged {
|
if s.appArmorEnabled && !privileged {
|
||||||
appArmorProfileName := s.getAppArmorProfileName(sb.Annotations(), metadata.Name)
|
|
||||||
|
appArmorProfileName := s.getAppArmorProfileName(containerConfig.GetLinux().GetSecurityContext().GetApparmorProfile())
|
||||||
if appArmorProfileName != "" {
|
if appArmorProfileName != "" {
|
||||||
// reload default apparmor profile if it is unloaded.
|
// reload default apparmor profile if it is unloaded.
|
||||||
if s.appArmorProfile == apparmor.DefaultApparmorProfile {
|
if s.appArmorProfile == apparmor.DefaultApparmorProfile {
|
||||||
|
@ -751,6 +752,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
|
|
||||||
specgen.SetProcessApparmorProfile(appArmorProfileName)
|
specgen.SetProcessApparmorProfile(appArmorProfileName)
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
logPath := containerConfig.LogPath
|
logPath := containerConfig.LogPath
|
||||||
|
@ -1239,9 +1241,7 @@ func (s *Server) setupSeccomp(specgen *generate.Generator, profile string) error
|
||||||
}
|
}
|
||||||
|
|
||||||
// getAppArmorProfileName gets the profile name for the given container.
|
// getAppArmorProfileName gets the profile name for the given container.
|
||||||
func (s *Server) getAppArmorProfileName(annotations map[string]string, ctrName string) string {
|
func (s *Server) getAppArmorProfileName(profile string) string {
|
||||||
profile := apparmor.GetProfileNameFromPodAnnotations(annotations, ctrName)
|
|
||||||
|
|
||||||
if profile == "" {
|
if profile == "" {
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue