From 71b80591e33b4debdb1ed35e198f66e18c10ee5f Mon Sep 17 00:00:00 2001
From: Xianglin Gao <xlgao@zju.edu.cn>
Date: Thu, 24 Nov 2016 21:27:56 +0800
Subject: [PATCH] support apparmor

Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
---
 server/container_create.go |  7 +++++++
 server/utils.go            | 26 ++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/server/container_create.go b/server/container_create.go
index 9e8e1624..53b1562e 100644
--- a/server/container_create.go
+++ b/server/container_create.go
@@ -182,6 +182,13 @@ func (s *Server) createSandboxContainer(containerID string, containerName string
 			specgen.AddAnnotation(k, v)
 		}
 	}
+
+	// set this container's apparmor profile if it is set by sandbox
+	appArmorProfileName := GetAppArmorProfileName(sb.annotations, metadata.GetName())
+	if appArmorProfileName != "" {
+		specgen.SetProcessApparmorProfile(appArmorProfileName)
+	}
+
 	if containerConfig.GetLinux().GetSecurityContext().GetPrivileged() {
 		specgen.SetupPrivileged(true)
 	}
diff --git a/server/utils.go b/server/utils.go
index 6b5c8e15..1d841401 100644
--- a/server/utils.go
+++ b/server/utils.go
@@ -11,6 +11,14 @@ const (
 	// According to http://man7.org/linux/man-pages/man5/resolv.conf.5.html:
 	// "The search list is currently limited to six domains with a total of 256 characters."
 	maxDNSSearches = 6
+
+	// ContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container profile.
+	ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
+
+	// ProfileRuntimeDefault is he profile specifying the runtime default.
+	ProfileRuntimeDefault = "runtime/default"
+	// ProfileNamePrefix is the prefix for specifying profiles loaded on the node.
+	ProfileNamePrefix = "localhost/"
 )
 
 func int64Ptr(i int64) *int64 {
@@ -156,3 +164,21 @@ func SysctlsFromPodAnnotation(annotation string) ([]Sysctl, error) {
 	}
 	return sysctls, nil
 }
+
+// GetAppArmorProfileName gets the profile name for the given container.
+func GetAppArmorProfileName(annotations map[string]string, ctrName string) string {
+	profile := GetProfileNameFromPodAnnotations(annotations, ctrName)
+	if profile == "" || profile == ProfileRuntimeDefault {
+		// If the value is runtime/default, then it is equivalent to not specifying a profile.
+		return ""
+	}
+
+	profileName := strings.TrimPrefix(profile, ProfileNamePrefix)
+	return profileName
+}
+
+// GetProfileNameFromPodAnnotations gets the name of the profile to use with container from
+// pod annotations
+func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
+	return annotations[ContainerAnnotationKeyPrefix+containerName]
+}