Apply apparmor before restrictions

There is not need for the remount hack, we use aa_change_onexec so the apparmor profile is not applied until we exec the users app. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 19:09:12 -07:00 · 2014-05-01 19:09:12 -07:00 · 593c632113
commit 593c632113
parent cc38164090
5 changed files with 12 additions and 37 deletions
--- a/apparmor/apparmor.go
+++ b/apparmor/apparmor.go
@ -20,7 +20,7 @@ func IsEnabled() bool {
 	return false
 }

-func ApplyProfile(pid int, name string) error {
+func ApplyProfile(name string) error {
 	if name == "" {
 		return nil
 	}
--- a/apparmor/apparmor_disabled.go
+++ b/apparmor/apparmor_disabled.go
@ -2,12 +2,10 @@

 package apparmor

-import ()
-
 func IsEnabled() bool {
 	return false
 }

-func ApplyProfile(pid int, name string) error {
+func ApplyProfile(name string) error {
 	return nil
 }
--- a/libcontainer/console/console.go
+++ b/libcontainer/console/console.go
@ -4,11 +4,12 @@ package console

 import (
 	"fmt"
-	"github.com/dotcloud/docker/pkg/label"
-	"github.com/dotcloud/docker/pkg/system"
 	"os"
 	"path/filepath"
 	"syscall"
+
+	"github.com/dotcloud/docker/pkg/label"
+	"github.com/dotcloud/docker/pkg/system"
 )

 // Setup initializes the proper /dev/console inside the rootfs path
--- a/libcontainer/nsinit/init.go
+++ b/libcontainer/nsinit/init.go
@ -72,18 +72,17 @@ func Init(container *libcontainer.Container, uncleanRootfs, consolePath string,

 	runtime.LockOSThread()

+	if err := apparmor.ApplyProfile(container.Context["apparmor_profile"]); err != nil {
+		return fmt.Errorf("set apparmor profile %s: %s", container.Context["apparmor_profile"], err)
+	}
+	if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
+		return fmt.Errorf("set process label %s", err)
+	}
 	if container.Context["restrictions"] != "" {
 		if err := restrict.Restrict(); err != nil {
 			return err
 		}
 	}
-
-	if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
-		return err
-	}
-	if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
-		return fmt.Errorf("set process label %s", err)
-	}
 	if err := FinalizeNamespace(container); err != nil {
 		return fmt.Errorf("finalize namespace %s", err)
 	}
--- a/libcontainer/security/restrict/restrict.go
+++ b/libcontainer/security/restrict/restrict.go
@ -4,8 +4,6 @@ package restrict

 import (
 	"fmt"
-	"os"
-	"path/filepath"
 	"syscall"

 	"github.com/dotcloud/docker/pkg/system"
@ -23,26 +21,5 @@ func Restrict() error {
 	if err := system.Mount("/dev/null", "/proc/kcore", "", syscall.MS_BIND, ""); err != nil {
 		return fmt.Errorf("unable to bind-mount /dev/null over /proc/kcore")
 	}
-
-	// This weird trick will allow us to mount /proc read-only, while being able to use AppArmor.
-	// This is because apparently, loading an AppArmor profile requires write access to /proc/1/attr.
-	// So we do another mount of procfs, ensure it's write-able, and bind-mount a subset of it.
-	if err := os.Mkdir(".proc", 0700); err != nil {
-		return fmt.Errorf("unable to create temporary proc mountpoint .proc: %s", err)
-	}
-	if err := system.Mount("proc", ".proc", "proc", 0, ""); err != nil {
-		return fmt.Errorf("unable to mount proc on temporary proc mountpoint: %s", err)
-	}
-	if err := system.Mount("proc", ".proc", "", syscall.MS_REMOUNT, ""); err != nil {
-		return fmt.Errorf("unable to remount proc read-write: %s", err)
-	}
-	for _, path := range []string{"attr", "task"} {
-		if err := system.Mount(filepath.Join(".proc", "1", path), filepath.Join("proc", "1", path), "", syscall.MS_BIND, ""); err != nil {
-			return fmt.Errorf("unable to bind-mount %s: %s", path, err)
-		}
-	}
-	if err := system.Unmount(".proc", 0); err != nil {
-		return fmt.Errorf("unable to unmount temporary proc filesystem: %s", err)
-	}
-	return os.RemoveAll(".proc")
+	return nil
 }