vbatts/pkg
1
0
Fork 0
Code Pull requests Releases Activity

Apply apparmor before restrictions

Browse source 
There is not need for the remount hack, we use aa_change_onexec so the
apparmor profile is not applied until we exec the users app.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
Michael Crosby 2014-05-01 19:09:12 -07:00
parent cc38164090
commit 593c632113
5 changed files with 12 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

13
libcontainer/nsinit/init.go
View file

@ -72,18 +72,17 @@ func Init(container *libcontainer.Container, uncleanRootfs, consolePath string,
runtime.LockOSThread()
if err := apparmor.ApplyProfile(container.Context["apparmor_profile"]); err != nil {
return fmt.Errorf("set apparmor profile %s: %s", container.Context["apparmor_profile"], err)
}
if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
return fmt.Errorf("set process label %s", err)
}
if container.Context["restrictions"] != "" {
if err := restrict.Restrict(); err != nil {
return err
}
}
if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
return err
}
if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
return fmt.Errorf("set process label %s", err)
}
if err := FinalizeNamespace(container); err != nil {
return fmt.Errorf("finalize namespace %s", err)
}