diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go index 044b766..4b1bf57 100644 --- a/libcontainer/apparmor/apparmor.go +++ b/libcontainer/apparmor/apparmor.go @@ -1,42 +1,29 @@ package apparmor import ( - "errors" "fmt" "io/ioutil" - "log" "os" ) -var AppArmorEnabled bool - -var ( - ErrAppArmorDisabled = errors.New("Error: AppArmor is not enabled on this system") -) - -func init() { +func IsEnabled() bool { buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled") - AppArmorEnabled = err == nil && len(buf) > 1 && buf[0] == 'Y' + return err == nil && len(buf) > 1 && buf[0] == 'Y' } func ApplyProfile(pid int, name string) error { - if !AppArmorEnabled { - return ErrAppArmorDisabled + if !IsEnabled() || name == "" { + return nil } f, err := os.OpenFile(fmt.Sprintf("/proc/%d/attr/current", pid), os.O_WRONLY, 0) if err != nil { - log.Printf("error open: %s\n", err) return err } defer f.Close() if _, err := fmt.Fprintf(f, "changeprofile %s", name); err != nil { - log.Printf("changeprofile %s", name) - log.Printf("Error write: %s\n", err) return err - } else { - log.Printf("Write success!") } return nil } diff --git a/libcontainer/nsinit/init.go b/libcontainer/nsinit/init.go index 48d9213..a854f13 100644 --- a/libcontainer/nsinit/init.go +++ b/libcontainer/nsinit/init.go @@ -32,8 +32,6 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol syncPipe.Close() if console != "" { - // close pipes so that we can replace it with the pty - // closeStdPipes() slave, err := system.OpenTerminal(console, syscall.O_RDWR) if err != nil { return fmt.Errorf("open terminal %s", err) @@ -51,10 +49,10 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol } } - /* - if err := system.ParentDeathSignal(); err != nil { - return fmt.Errorf("parent death signal %s", err) - } + /* this is commented out so that we get the current Ghost functionality + if err := system.ParentDeathSignal(); err != nil { + return fmt.Errorf("parent death signal %s", err) + } */ if err := setupNewMountNamespace(rootfs, console, container.ReadonlyFs); err != nil { @@ -62,9 +60,7 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol } if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil { - if err != apparmor.ErrAppArmorDisabled { - return err - } + return err } if err := setupNetwork(container, context); err != nil {