jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Set apparmor profile in execin 

The set of the apparmor profile for the setns codepath was missing.
Selinux was being called but apparmor was forgotten.  This was causing
no profiles to be applied to the extra process spawn inside an existing
container.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This commit is contained in:
Michael Crosby 2014-10-14 05:53:44 +00:00
parent 4f409628d8
commit cb6ba4dbfb
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
namespaces/execin.go
View File

@ -12,6 +12,7 @@ import (
"syscall"
"github.com/docker/libcontainer"
"github.com/docker/libcontainer/apparmor"
"github.com/docker/libcontainer/cgroups"
"github.com/docker/libcontainer/label"
"github.com/docker/libcontainer/syncpipe"
@ -96,6 +97,10 @@ func FinalizeSetns(container *libcontainer.Config, args []string) error {
return err
}
if err := apparmor.ApplyProfile(container.AppArmorProfile); err != nil {
return fmt.Errorf("set apparmor profile %s: %s", container.AppArmorProfile, err)
}
if container.ProcessLabel != "" {
if err := label.SetProcessLabel(container.ProcessLabel); err != nil {
return err