Skip to content

Commit

Permalink
Use containerd's apparmor package to detect if apparmor can be used
Browse files Browse the repository at this point in the history 
The runc/libcontainer apparmor package on master no longer checks if apparmor_parser
is enabled, or if we are running docker-in-docker.

While those checks are not relevant to runc (as it doesn't load the profile), these
checks _are_ relevant to us (and containerd). So switching to use the containerd
apparmor package, which does include the needed checks.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

(Cherry-picked from 2834f84, to avoid problems with app armor in some
environments -- including balenaOS' CI.)
  • Loading branch information
@thaJeztah @lmbarros
thaJeztah authored and lmbarros committed Jan 5, 2023
1 parent 3a9bd18 commit b052242
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 10 deletions.
6 changes: 3 additions & 3 deletions daemon/apparmor_default.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ package daemon // import "github.com/docker/docker/daemon"
import (
"fmt"

"github.com/containerd/containerd/pkg/apparmor"
aaprofile "github.com/docker/docker/profiles/apparmor"
"github.com/opencontainers/runc/libcontainer/apparmor"
)

// Define constants for native driver
Expand All @@ -18,14 +18,14 @@ const (

// DefaultApparmorProfile returns the name of the default apparmor profile
func DefaultApparmorProfile() string {
if apparmor.IsEnabled() {
if apparmor.HostSupports() {
return defaultAppArmorProfile
}
return ""
}

func ensureDefaultAppArmorProfile() error {
if apparmor.IsEnabled() {
if apparmor.HostSupports() {
loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
if err != nil {
return fmt.Errorf("Could not check if %s AppArmor profile was loaded: %s", defaultAppArmorProfile, err)
Expand Down
4 changes: 2 additions & 2 deletions daemon/exec_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ package daemon // import "github.com/docker/docker/daemon"
import (
"context"

"github.com/containerd/containerd/pkg/apparmor"
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/exec"
"github.com/docker/docker/oci/caps"
"github.com/opencontainers/runc/libcontainer/apparmor"
specs "github.com/opencontainers/runtime-spec/specs-go"
)

Expand All @@ -25,7 +25,7 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
Effective: caps.GetAllCapabilities(),
}
}
if apparmor.IsEnabled() {
if apparmor.HostSupports() {
var appArmorProfile string
if c.AppArmorProfile != "" {
appArmorProfile = c.AppArmorProfile
Expand Down
6 changes: 3 additions & 3 deletions daemon/exec_linux_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,17 +6,17 @@ package daemon
import (
"testing"

"github.com/containerd/containerd/pkg/apparmor"
containertypes "github.com/docker/docker/api/types/container"
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/config"
"github.com/docker/docker/daemon/exec"
"github.com/opencontainers/runc/libcontainer/apparmor"
specs "github.com/opencontainers/runtime-spec/specs-go"
"gotest.tools/v3/assert"
)

func TestExecSetPlatformOpt(t *testing.T) {
if !apparmor.IsEnabled() {
if !apparmor.HostSupports() {
t.Skip("requires AppArmor to be enabled")
}
d := &Daemon{configStore: &config.Config{}}
Expand Down Expand Up @@ -44,7 +44,7 @@ func TestExecSetPlatformOpt(t *testing.T) {
// following test case in the more recent Moby codebase:
// https://github.com/moby/moby/blob/572ca799db4b67b7be35904e487f0cc51c3f9f06/daemon/exec_linux_test.go#L37-L39
func TestExecSetPlatformOptPrivileged(t *testing.T) {
if !apparmor.IsEnabled() {
if !apparmor.HostSupports() {
t.Skip("requires AppArmor to be enabled")
}
d := &Daemon{configStore: &config.Config{}}
Expand Down
4 changes: 2 additions & 2 deletions daemon/oci_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
cdcgroups "github.com/containerd/cgroups"
"github.com/containerd/containerd/containers"
coci "github.com/containerd/containerd/oci"
"github.com/containerd/containerd/pkg/apparmor"
"github.com/containerd/containerd/sys"
containertypes "github.com/docker/docker/api/types/container"
"github.com/docker/docker/container"
Expand All @@ -26,7 +27,6 @@ import (
volumemounts "github.com/docker/docker/volume/mounts"
"github.com/moby/sys/mount"
"github.com/moby/sys/mountinfo"
"github.com/opencontainers/runc/libcontainer/apparmor"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/devices"
"github.com/opencontainers/runc/libcontainer/user"
Expand Down Expand Up @@ -128,7 +128,7 @@ func WithSelinux(c *container.Container) coci.SpecOpts {
// WithApparmor sets the apparmor profile
func WithApparmor(c *container.Container) coci.SpecOpts {
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
if apparmor.IsEnabled() {
if apparmor.HostSupports() {
var appArmorProfile string
if c.AppArmorProfile != "" {
appArmorProfile = c.AppArmorProfile
Expand Down

0 comments on commit b052242

Please sign in to comment.