From cb6ba4dbfb7abf65ecaf1d0efa134f1bdc4d1826 Mon Sep 17 00:00:00 2001
From: Michael Crosby <crosbymichael@gmail.com>
Date: Tue, 14 Oct 2014 05:53:44 +0000
Subject: [PATCH] Set apparmor profile in execin

The set of the apparmor profile for the setns codepath was missing.
Selinux was being called but apparmor was forgotten.  This was causing
no profiles to be applied to the extra process spawn inside an existing
container.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
---
 namespaces/execin.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/namespaces/execin.go b/namespaces/execin.go
index 8b81edec..53e676ac 100644
--- a/namespaces/execin.go
+++ b/namespaces/execin.go
@@ -12,6 +12,7 @@ import (
 	"syscall"
 
 	"github.com/docker/libcontainer"
+	"github.com/docker/libcontainer/apparmor"
 	"github.com/docker/libcontainer/cgroups"
 	"github.com/docker/libcontainer/label"
 	"github.com/docker/libcontainer/syncpipe"
@@ -96,6 +97,10 @@ func FinalizeSetns(container *libcontainer.Config, args []string) error {
 		return err
 	}
 
+	if err := apparmor.ApplyProfile(container.AppArmorProfile); err != nil {
+		return fmt.Errorf("set apparmor profile %s: %s", container.AppArmorProfile, err)
+	}
+
 	if container.ProcessLabel != "" {
 		if err := label.SetProcessLabel(container.ProcessLabel); err != nil {
 			return err