From 0ecd2aa284181f2862acd2dba5675f71a5338d3c Mon Sep 17 00:00:00 2001 From: "Guillaume J. Charmes" Date: Thu, 6 Mar 2014 11:10:58 -0800 Subject: [PATCH 1/3] Use CGO for apparmor profile switch Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes (github: creack) --- libcontainer/apparmor/apparmor.go | 16 ++++++++-------- libcontainer/nsinit/init.go | 7 +++---- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go index 4b1bf57..c2954fd 100644 --- a/libcontainer/apparmor/apparmor.go +++ b/libcontainer/apparmor/apparmor.go @@ -1,9 +1,12 @@ package apparmor +// #cgo LDFLAGS: -lapparmor +// #include +// #include +import "C" import ( - "fmt" "io/ioutil" - "os" + "unsafe" ) func IsEnabled() bool { @@ -16,13 +19,10 @@ func ApplyProfile(pid int, name string) error { return nil } - f, err := os.OpenFile(fmt.Sprintf("/proc/%d/attr/current", pid), os.O_WRONLY, 0) - if err != nil { - return err - } - defer f.Close() + cName := C.CString(name) + defer C.free(unsafe.Pointer(cName)) - if _, err := fmt.Fprintf(f, "changeprofile %s", name); err != nil { + if _, err := C.aa_change_onexec(cName); err != nil { return err } return nil diff --git a/libcontainer/nsinit/init.go b/libcontainer/nsinit/init.go index a854f13..45ab881 100644 --- a/libcontainer/nsinit/init.go +++ b/libcontainer/nsinit/init.go @@ -59,10 +59,6 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol return fmt.Errorf("setup mount namespace %s", err) } - if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil { - return err - } - if err := setupNetwork(container, context); err != nil { return fmt.Errorf("setup networking %s", err) } @@ -73,6 +69,9 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol return fmt.Errorf("finalize namespace %s", err) } + if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil { + return err + } return system.Execv(args[0], args[0:], container.Env) } From 729080d46ae151261c034a8a850064cc6660fee6 Mon Sep 17 00:00:00 2001 From: "Guillaume J. Charmes" Date: Thu, 6 Mar 2014 12:04:51 -0800 Subject: [PATCH 2/3] Add buildflags to allow crosscompilation for apparmor Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes (github: creack) --- libcontainer/apparmor/apparmor.go | 2 ++ libcontainer/apparmor/apparmor_disabled.go | 13 +++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 libcontainer/apparmor/apparmor_disabled.go diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go index c2954fd..d07c710 100644 --- a/libcontainer/apparmor/apparmor.go +++ b/libcontainer/apparmor/apparmor.go @@ -1,3 +1,5 @@ +// +build apparmor + package apparmor // #cgo LDFLAGS: -lapparmor diff --git a/libcontainer/apparmor/apparmor_disabled.go b/libcontainer/apparmor/apparmor_disabled.go new file mode 100644 index 0000000..489484f --- /dev/null +++ b/libcontainer/apparmor/apparmor_disabled.go @@ -0,0 +1,13 @@ +// +build !apparmor + +package apparmor + +import () + +func IsEnabled() bool { + return false +} + +func ApplyProfile(pid int, name string) error { + return nil +} From 5c13d614252bfa0edaa0aaa18d4446a64dc284c5 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 6 Mar 2014 13:39:17 -0700 Subject: [PATCH 3/3] Update build tags such that we can properly compile on all platforms (especially for packagers), and updated hack/PACKAGERS.md to mention the DOCKER_BUILDTAGS variable that will need to be set for binaries that might be used on AppArmor (such as Debian and especially Ubuntu) Docker-DCO-1.1-Signed-off-by: Andrew Page (github: tianon) --- libcontainer/apparmor/apparmor.go | 2 +- libcontainer/apparmor/apparmor_disabled.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go index d07c710..a6d57d4 100644 --- a/libcontainer/apparmor/apparmor.go +++ b/libcontainer/apparmor/apparmor.go @@ -1,4 +1,4 @@ -// +build apparmor +// +build apparmor,linux,amd64 package apparmor diff --git a/libcontainer/apparmor/apparmor_disabled.go b/libcontainer/apparmor/apparmor_disabled.go index 489484f..77543e4 100644 --- a/libcontainer/apparmor/apparmor_disabled.go +++ b/libcontainer/apparmor/apparmor_disabled.go @@ -1,4 +1,4 @@ -// +build !apparmor +// +build !apparmor !linux !amd64 package apparmor