container_create: fix apparmor from container config
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca
parent
6faef13293
commit
c8aad704dd
4 changed files with 5 additions and 20 deletions
|
|
@ -3,10 +3,6 @@ package apparmor
|
|||
const (
|
||||
// DefaultApparmorProfile is the name of default apparmor profile name.
|
||||
DefaultApparmorProfile = "crio-default"
|
||||
|
||||
// ContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container profile.
|
||||
ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
|
||||
|
||||
// ProfileRuntimeDefault is he profile specifying the runtime default.
|
||||
ProfileRuntimeDefault = "runtime/default"
|
||||
// ProfileNamePrefix is the prefix for specifying profiles loaded on the node.
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ type profileData struct {
|
|||
|
||||
// EnsureDefaultApparmorProfile loads default apparmor profile, if it is not loaded.
|
||||
func EnsureDefaultApparmorProfile() error {
|
||||
if apparmor.IsEnabled() {
|
||||
if IsEnabled() {
|
||||
loaded, err := IsLoaded(DefaultApparmorProfile)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Could not check if %s AppArmor profile was loaded: %s", DefaultApparmorProfile, err)
|
||||
|
|
@ -59,12 +59,6 @@ func IsEnabled() bool {
|
|||
return apparmor.IsEnabled()
|
||||
}
|
||||
|
||||
// GetProfileNameFromPodAnnotations gets the name of the profile to use with container from
|
||||
// pod annotations
|
||||
func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
|
||||
return annotations[ContainerAnnotationKeyPrefix+containerName]
|
||||
}
|
||||
|
||||
// InstallDefault generates a default profile in a temp directory determined by
|
||||
// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'.
|
||||
func InstallDefault(name string) error {
|
||||
|
|
|
|||
|
|
@ -11,8 +11,3 @@ func IsEnabled() bool {
|
|||
func EnsureDefaultApparmorProfile() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetProfileNameFromPodAnnotations dose nothing, when build without apparmor build tag.
|
||||
func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
|
||||
return ""
|
||||
}
|
||||
|
|
|
|||
|
|
@ -740,7 +740,8 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
|
||||
// set this container's apparmor profile if it is set by sandbox
|
||||
if s.appArmorEnabled && !privileged {
|
||||
appArmorProfileName := s.getAppArmorProfileName(sb.Annotations(), metadata.Name)
|
||||
|
||||
appArmorProfileName := s.getAppArmorProfileName(containerConfig.GetLinux().GetSecurityContext().GetApparmorProfile())
|
||||
if appArmorProfileName != "" {
|
||||
// reload default apparmor profile if it is unloaded.
|
||||
if s.appArmorProfile == apparmor.DefaultApparmorProfile {
|
||||
|
|
@ -751,6 +752,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
|
||||
specgen.SetProcessApparmorProfile(appArmorProfileName)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
logPath := containerConfig.LogPath
|
||||
|
|
@ -1259,9 +1261,7 @@ func (s *Server) setupSeccomp(specgen *generate.Generator, profile string) error
|
|||
}
|
||||
|
||||
// getAppArmorProfileName gets the profile name for the given container.
|
||||
func (s *Server) getAppArmorProfileName(annotations map[string]string, ctrName string) string {
|
||||
profile := apparmor.GetProfileNameFromPodAnnotations(annotations, ctrName)
|
||||
|
||||
func (s *Server) getAppArmorProfileName(profile string) string {
|
||||
if profile == "" {
|
||||
return ""
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue