From 9f58f80f28a37bf7253c314067b3223bfc2778ea Mon Sep 17 00:00:00 2001 From: "Guillaume J. Charmes" Date: Thu, 6 Mar 2014 11:10:58 -0800 Subject: [PATCH 1/3] Use CGO for apparmor profile switch Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes (github: creack) Upstream-commit: f0f833c6d795fc8b3fb4bb379f9916745f5c7ac9 Component: engine --- .../engine/pkg/libcontainer/apparmor/apparmor.go | 16 ++++++++-------- .../engine/pkg/libcontainer/nsinit/init.go | 7 +++---- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/components/engine/pkg/libcontainer/apparmor/apparmor.go b/components/engine/pkg/libcontainer/apparmor/apparmor.go index 4b1bf579f0..c2954fdad4 100644 --- a/components/engine/pkg/libcontainer/apparmor/apparmor.go +++ b/components/engine/pkg/libcontainer/apparmor/apparmor.go @@ -1,9 +1,12 @@ package apparmor +// #cgo LDFLAGS: -lapparmor +// #include +// #include +import "C" import ( - "fmt" "io/ioutil" - "os" + "unsafe" ) func IsEnabled() bool { @@ -16,13 +19,10 @@ func ApplyProfile(pid int, name string) error { return nil } - f, err := os.OpenFile(fmt.Sprintf("/proc/%d/attr/current", pid), os.O_WRONLY, 0) - if err != nil { - return err - } - defer f.Close() + cName := C.CString(name) + defer C.free(unsafe.Pointer(cName)) - if _, err := fmt.Fprintf(f, "changeprofile %s", name); err != nil { + if _, err := C.aa_change_onexec(cName); err != nil { return err } return nil diff --git a/components/engine/pkg/libcontainer/nsinit/init.go b/components/engine/pkg/libcontainer/nsinit/init.go index a854f130ee..45ab881579 100644 --- a/components/engine/pkg/libcontainer/nsinit/init.go +++ b/components/engine/pkg/libcontainer/nsinit/init.go @@ -59,10 +59,6 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol return fmt.Errorf("setup mount namespace %s", err) } - if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil { - return err - } - if err := setupNetwork(container, context); err != nil { return fmt.Errorf("setup networking %s", err) } @@ -73,6 +69,9 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol return fmt.Errorf("finalize namespace %s", err) } + if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil { + return err + } return system.Execv(args[0], args[0:], container.Env) } From 2ebfedab6dadf2a5f35c864fae5321de488beb15 Mon Sep 17 00:00:00 2001 From: "Guillaume J. Charmes" Date: Thu, 6 Mar 2014 12:04:51 -0800 Subject: [PATCH 2/3] Add buildflags to allow crosscompilation for apparmor Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes (github: creack) Upstream-commit: c89fa6645ef87e1863ef5812bd42176f5bd987ca Component: engine --- components/engine/hack/make.sh | 3 ++- components/engine/hack/make/binary | 2 +- components/engine/hack/make/cross | 1 + .../engine/pkg/libcontainer/apparmor/apparmor.go | 2 ++ .../pkg/libcontainer/apparmor/apparmor_disabled.go | 13 +++++++++++++ 5 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 components/engine/pkg/libcontainer/apparmor/apparmor_disabled.go diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh index 59bd716022..7f143dd464 100755 --- a/components/engine/hack/make.sh +++ b/components/engine/hack/make.sh @@ -84,7 +84,8 @@ fi # Use these flags when compiling the tests and final binary LDFLAGS='-X github.com/dotcloud/docker/dockerversion.GITCOMMIT "'$GITCOMMIT'" -X github.com/dotcloud/docker/dockerversion.VERSION "'$VERSION'" -w' LDFLAGS_STATIC='-X github.com/dotcloud/docker/dockerversion.IAMSTATIC true -linkmode external -extldflags "-lpthread -static -Wl,--unresolved-symbols=ignore-in-object-files"' -BUILDFLAGS='-tags netgo -a' +BUILDFLAGS='-a' +BUILDTAGS="apparmor netgo" HAVE_GO_TEST_COVER= if \ diff --git a/components/engine/hack/make/binary b/components/engine/hack/make/binary index 93e99fee8f..344be25a73 100644 --- a/components/engine/hack/make/binary +++ b/components/engine/hack/make/binary @@ -2,5 +2,5 @@ DEST=$1 -go build -o $DEST/docker-$VERSION -ldflags "$LDFLAGS $LDFLAGS_STATIC" $BUILDFLAGS ./docker +go build -o $DEST/docker-$VERSION -ldflags "$LDFLAGS $LDFLAGS_STATIC" $BUILDFLAGS -tags "$BUILDTAGS" ./docker echo "Created binary: $DEST/docker-$VERSION" diff --git a/components/engine/hack/make/cross b/components/engine/hack/make/cross index a67ab6c28a..28424c432e 100644 --- a/components/engine/hack/make/cross +++ b/components/engine/hack/make/cross @@ -18,6 +18,7 @@ for platform in $DOCKER_CROSSPLATFORMS; do export GOOS=${platform%/*} export GOARCH=${platform##*/} export LDFLAGS_STATIC="" # we just need a simple client for these platforms (TODO this might change someday) + export BUILDTAGS="netgo" source "$(dirname "$BASH_SOURCE")/binary" "$DEST/$platform" ) done diff --git a/components/engine/pkg/libcontainer/apparmor/apparmor.go b/components/engine/pkg/libcontainer/apparmor/apparmor.go index c2954fdad4..d07c710dbe 100644 --- a/components/engine/pkg/libcontainer/apparmor/apparmor.go +++ b/components/engine/pkg/libcontainer/apparmor/apparmor.go @@ -1,3 +1,5 @@ +// +build apparmor + package apparmor // #cgo LDFLAGS: -lapparmor diff --git a/components/engine/pkg/libcontainer/apparmor/apparmor_disabled.go b/components/engine/pkg/libcontainer/apparmor/apparmor_disabled.go new file mode 100644 index 0000000000..489484fcc6 --- /dev/null +++ b/components/engine/pkg/libcontainer/apparmor/apparmor_disabled.go @@ -0,0 +1,13 @@ +// +build !apparmor + +package apparmor + +import () + +func IsEnabled() bool { + return false +} + +func ApplyProfile(pid int, name string) error { + return nil +} From 24c5efffe22355f83b60c9f4fa3227ace3a1fe5e Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 6 Mar 2014 13:39:17 -0700 Subject: [PATCH 3/3] Update build tags such that we can properly compile on all platforms (especially for packagers), and updated hack/PACKAGERS.md to mention the DOCKER_BUILDTAGS variable that will need to be set for binaries that might be used on AppArmor (such as Debian and especially Ubuntu) Docker-DCO-1.1-Signed-off-by: Andrew Page (github: tianon) Upstream-commit: 0b23393ba1901df3d08916fa977707db58699eca Component: engine --- components/engine/Dockerfile | 1 + components/engine/hack/PACKAGERS.md | 9 +++++++++ components/engine/hack/make.sh | 5 ++--- components/engine/hack/make/binary | 2 +- components/engine/hack/make/cross | 1 - components/engine/hack/make/dynbinary | 2 +- components/engine/pkg/libcontainer/apparmor/apparmor.go | 2 +- .../pkg/libcontainer/apparmor/apparmor_disabled.go | 2 +- 8 files changed, 16 insertions(+), 8 deletions(-) diff --git a/components/engine/Dockerfile b/components/engine/Dockerfile index 9271aa0d02..9929a10f3c 100644 --- a/components/engine/Dockerfile +++ b/components/engine/Dockerfile @@ -87,6 +87,7 @@ RUN git config --global user.email 'docker-dummy@example.com' VOLUME /var/lib/docker WORKDIR /go/src/github.com/dotcloud/docker +ENV DOCKER_BUILDTAGS apparmor # Wrap all commands in the "docker-in-docker" script to allow nested containers ENTRYPOINT ["hack/dind"] diff --git a/components/engine/hack/PACKAGERS.md b/components/engine/hack/PACKAGERS.md index 8d9749b4f8..3948f001b5 100644 --- a/components/engine/hack/PACKAGERS.md +++ b/components/engine/hack/PACKAGERS.md @@ -148,6 +148,15 @@ This will cause the build scripts to set up a reasonable `GOPATH` that automatically and properly includes both dotcloud/docker from the local directory, and the local "./vendor" directory as necessary. +### `DOCKER_BUILDTAGS` + +If you're building a binary that may need to be used on platforms that include +AppArmor, you will need to set `DOCKER_BUILDTAGS` as follows: + +```bash +export DOCKER_BUILDTAGS='apparmor' +``` + ### Static Daemon If it is feasible within the constraints of your distribution, you should diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh index 7f143dd464..73c53c850a 100755 --- a/components/engine/hack/make.sh +++ b/components/engine/hack/make.sh @@ -84,8 +84,7 @@ fi # Use these flags when compiling the tests and final binary LDFLAGS='-X github.com/dotcloud/docker/dockerversion.GITCOMMIT "'$GITCOMMIT'" -X github.com/dotcloud/docker/dockerversion.VERSION "'$VERSION'" -w' LDFLAGS_STATIC='-X github.com/dotcloud/docker/dockerversion.IAMSTATIC true -linkmode external -extldflags "-lpthread -static -Wl,--unresolved-symbols=ignore-in-object-files"' -BUILDFLAGS='-a' -BUILDTAGS="apparmor netgo" +BUILDFLAGS=( -a -tags "netgo $DOCKER_BUILDTAGS" ) HAVE_GO_TEST_COVER= if \ @@ -114,7 +113,7 @@ go_test_dir() { ( set -x cd "$dir" - go test ${testcover[@]} -ldflags "$LDFLAGS" $BUILDFLAGS $TESTFLAGS + go test ${testcover[@]} -ldflags "$LDFLAGS" "${BUILDFLAGS[@]}" $TESTFLAGS ) } diff --git a/components/engine/hack/make/binary b/components/engine/hack/make/binary index 344be25a73..b7c318e6cb 100644 --- a/components/engine/hack/make/binary +++ b/components/engine/hack/make/binary @@ -2,5 +2,5 @@ DEST=$1 -go build -o $DEST/docker-$VERSION -ldflags "$LDFLAGS $LDFLAGS_STATIC" $BUILDFLAGS -tags "$BUILDTAGS" ./docker +go build -o $DEST/docker-$VERSION -ldflags "$LDFLAGS $LDFLAGS_STATIC" "${BUILDFLAGS[@]}" ./docker echo "Created binary: $DEST/docker-$VERSION" diff --git a/components/engine/hack/make/cross b/components/engine/hack/make/cross index 28424c432e..a67ab6c28a 100644 --- a/components/engine/hack/make/cross +++ b/components/engine/hack/make/cross @@ -18,7 +18,6 @@ for platform in $DOCKER_CROSSPLATFORMS; do export GOOS=${platform%/*} export GOARCH=${platform##*/} export LDFLAGS_STATIC="" # we just need a simple client for these platforms (TODO this might change someday) - export BUILDTAGS="netgo" source "$(dirname "$BASH_SOURCE")/binary" "$DEST/$platform" ) done diff --git a/components/engine/hack/make/dynbinary b/components/engine/hack/make/dynbinary index d5ea6ebe54..e7a767e102 100644 --- a/components/engine/hack/make/dynbinary +++ b/components/engine/hack/make/dynbinary @@ -3,7 +3,7 @@ DEST=$1 # dockerinit still needs to be a static binary, even if docker is dynamic -CGO_ENABLED=0 go build -o $DEST/dockerinit-$VERSION -ldflags "$LDFLAGS -d" $BUILDFLAGS ./dockerinit +CGO_ENABLED=0 go build -o $DEST/dockerinit-$VERSION -ldflags "$LDFLAGS -d" "${BUILDFLAGS[@]}" ./dockerinit echo "Created binary: $DEST/dockerinit-$VERSION" ln -sf dockerinit-$VERSION $DEST/dockerinit diff --git a/components/engine/pkg/libcontainer/apparmor/apparmor.go b/components/engine/pkg/libcontainer/apparmor/apparmor.go index d07c710dbe..a6d57d4f09 100644 --- a/components/engine/pkg/libcontainer/apparmor/apparmor.go +++ b/components/engine/pkg/libcontainer/apparmor/apparmor.go @@ -1,4 +1,4 @@ -// +build apparmor +// +build apparmor,linux,amd64 package apparmor diff --git a/components/engine/pkg/libcontainer/apparmor/apparmor_disabled.go b/components/engine/pkg/libcontainer/apparmor/apparmor_disabled.go index 489484fcc6..77543e4a87 100644 --- a/components/engine/pkg/libcontainer/apparmor/apparmor_disabled.go +++ b/components/engine/pkg/libcontainer/apparmor/apparmor_disabled.go @@ -1,4 +1,4 @@ -// +build !apparmor +// +build !apparmor !linux !amd64 package apparmor