toolshed/docker-cli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

apparmor: do not save profile to /etc/apparmor.d

Browse Source 
Writing the profile to /etc/apparmor.d, while also manually loading it
into the kernel results in quite a bit of confusion. In addition, it
means that people using apparmor but have /etc mounted read-only cannot
use apparmor at all on a Docker host.

Fix this by writing the profile to a temporary directory and deleting it
after it's been inserted.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
Upstream-commit: 2f7596aaef3a9f8ec1f2d0937462d9263bee8b6b
Component: engine
This commit is contained in:
Aleksa Sarai
2016-07-20 22:24:55 +10:00
parent 3fe1e84cec
commit d90edcd897
2 changed files with 12 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
components/engine/pkg/aaparser/aaparser.go
View File

@ -23,10 +23,10 @@ func GetVersion() (int, error) {
return parseVersion(output)
}
// LoadProfile runs `apparmor_parser -r -W` on a specified apparmor profile to
// replace and write it to disk.
// LoadProfile runs `apparmor_parser -r` on a specified apparmor profile to
// replace the profile.
func LoadProfile(profilePath string) error {
_, err := cmd(filepath.Dir(profilePath), "-r", "-W", filepath.Base(profilePath))
_, err := cmd("-r", filepath.Dir(profilePath))
if err != nil {
return err
}