diff --git a/components/engine/Dockerfile b/components/engine/Dockerfile index 9271aa0d02..9929a10f3c 100644 --- a/components/engine/Dockerfile +++ b/components/engine/Dockerfile @@ -87,6 +87,7 @@ RUN git config --global user.email 'docker-dummy@example.com' VOLUME /var/lib/docker WORKDIR /go/src/github.com/dotcloud/docker +ENV DOCKER_BUILDTAGS apparmor # Wrap all commands in the "docker-in-docker" script to allow nested containers ENTRYPOINT ["hack/dind"] diff --git a/components/engine/hack/PACKAGERS.md b/components/engine/hack/PACKAGERS.md index 8d9749b4f8..3948f001b5 100644 --- a/components/engine/hack/PACKAGERS.md +++ b/components/engine/hack/PACKAGERS.md @@ -148,6 +148,15 @@ This will cause the build scripts to set up a reasonable `GOPATH` that automatically and properly includes both dotcloud/docker from the local directory, and the local "./vendor" directory as necessary. +### `DOCKER_BUILDTAGS` + +If you're building a binary that may need to be used on platforms that include +AppArmor, you will need to set `DOCKER_BUILDTAGS` as follows: + +```bash +export DOCKER_BUILDTAGS='apparmor' +``` + ### Static Daemon If it is feasible within the constraints of your distribution, you should diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh index 59bd716022..73c53c850a 100755 --- a/components/engine/hack/make.sh +++ b/components/engine/hack/make.sh @@ -84,7 +84,7 @@ fi # Use these flags when compiling the tests and final binary LDFLAGS='-X github.com/dotcloud/docker/dockerversion.GITCOMMIT "'$GITCOMMIT'" -X github.com/dotcloud/docker/dockerversion.VERSION "'$VERSION'" -w' LDFLAGS_STATIC='-X github.com/dotcloud/docker/dockerversion.IAMSTATIC true -linkmode external -extldflags "-lpthread -static -Wl,--unresolved-symbols=ignore-in-object-files"' -BUILDFLAGS='-tags netgo -a' +BUILDFLAGS=( -a -tags "netgo $DOCKER_BUILDTAGS" ) HAVE_GO_TEST_COVER= if \ @@ -113,7 +113,7 @@ go_test_dir() { ( set -x cd "$dir" - go test ${testcover[@]} -ldflags "$LDFLAGS" $BUILDFLAGS $TESTFLAGS + go test ${testcover[@]} -ldflags "$LDFLAGS" "${BUILDFLAGS[@]}" $TESTFLAGS ) } diff --git a/components/engine/hack/make/binary b/components/engine/hack/make/binary index 93e99fee8f..b7c318e6cb 100644 --- a/components/engine/hack/make/binary +++ b/components/engine/hack/make/binary @@ -2,5 +2,5 @@ DEST=$1 -go build -o $DEST/docker-$VERSION -ldflags "$LDFLAGS $LDFLAGS_STATIC" $BUILDFLAGS ./docker +go build -o $DEST/docker-$VERSION -ldflags "$LDFLAGS $LDFLAGS_STATIC" "${BUILDFLAGS[@]}" ./docker echo "Created binary: $DEST/docker-$VERSION" diff --git a/components/engine/hack/make/dynbinary b/components/engine/hack/make/dynbinary index d5ea6ebe54..e7a767e102 100644 --- a/components/engine/hack/make/dynbinary +++ b/components/engine/hack/make/dynbinary @@ -3,7 +3,7 @@ DEST=$1 # dockerinit still needs to be a static binary, even if docker is dynamic -CGO_ENABLED=0 go build -o $DEST/dockerinit-$VERSION -ldflags "$LDFLAGS -d" $BUILDFLAGS ./dockerinit +CGO_ENABLED=0 go build -o $DEST/dockerinit-$VERSION -ldflags "$LDFLAGS -d" "${BUILDFLAGS[@]}" ./dockerinit echo "Created binary: $DEST/dockerinit-$VERSION" ln -sf dockerinit-$VERSION $DEST/dockerinit diff --git a/components/engine/pkg/libcontainer/apparmor/apparmor.go b/components/engine/pkg/libcontainer/apparmor/apparmor.go index 4b1bf579f0..a6d57d4f09 100644 --- a/components/engine/pkg/libcontainer/apparmor/apparmor.go +++ b/components/engine/pkg/libcontainer/apparmor/apparmor.go @@ -1,9 +1,14 @@ +// +build apparmor,linux,amd64 + package apparmor +// #cgo LDFLAGS: -lapparmor +// #include +// #include +import "C" import ( - "fmt" "io/ioutil" - "os" + "unsafe" ) func IsEnabled() bool { @@ -16,13 +21,10 @@ func ApplyProfile(pid int, name string) error { return nil } - f, err := os.OpenFile(fmt.Sprintf("/proc/%d/attr/current", pid), os.O_WRONLY, 0) - if err != nil { - return err - } - defer f.Close() + cName := C.CString(name) + defer C.free(unsafe.Pointer(cName)) - if _, err := fmt.Fprintf(f, "changeprofile %s", name); err != nil { + if _, err := C.aa_change_onexec(cName); err != nil { return err } return nil diff --git a/components/engine/pkg/libcontainer/apparmor/apparmor_disabled.go b/components/engine/pkg/libcontainer/apparmor/apparmor_disabled.go new file mode 100644 index 0000000000..77543e4a87 --- /dev/null +++ b/components/engine/pkg/libcontainer/apparmor/apparmor_disabled.go @@ -0,0 +1,13 @@ +// +build !apparmor !linux !amd64 + +package apparmor + +import () + +func IsEnabled() bool { + return false +} + +func ApplyProfile(pid int, name string) error { + return nil +} diff --git a/components/engine/pkg/libcontainer/nsinit/init.go b/components/engine/pkg/libcontainer/nsinit/init.go index a854f130ee..45ab881579 100644 --- a/components/engine/pkg/libcontainer/nsinit/init.go +++ b/components/engine/pkg/libcontainer/nsinit/init.go @@ -59,10 +59,6 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol return fmt.Errorf("setup mount namespace %s", err) } - if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil { - return err - } - if err := setupNetwork(container, context); err != nil { return fmt.Errorf("setup networking %s", err) } @@ -73,6 +69,9 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol return fmt.Errorf("finalize namespace %s", err) } + if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil { + return err + } return system.Execv(args[0], args[0:], container.Env) }