opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-08-06 19:44:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3189 from vrothberg/apparmor-fixes

Browse Source 
Apparmor fixes
This commit is contained in:
OpenShift Merge Robot
2019-05-28 16:23:48 +02:00
committed by GitHub
parent 25f8c21ea8 1910118de9
commit 335a1ef160
3 changed files with 22 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
cmd/podman/create.go
View File

@ -7,6 +7,7 @@ import (
"github.com/containers/libpod/pkg/adapter"
"github.com/opentracing/opentracing-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
)
@ -72,6 +73,10 @@ func createInit(c *cliconfig.PodmanCommand) error {
defer span.Finish()
}
if c.IsSet("privileged") && c.IsSet("security-opt") {
logrus.Warn("setting security options with --privileged has no effect")
}
// Docker-compatibility: the "-h" flag for run/create is reserved for
// the hostname (see https://github.com/containers/libpod/issues/1367).

4
libpod/container_internal_linux.go
View File

@ -25,7 +25,7 @@ import (
"github.com/containers/libpod/pkg/lookup"
"github.com/containers/libpod/pkg/resolvconf"
"github.com/containers/libpod/pkg/rootless"
"github.com/cyphar/filepath-securejoin"
securejoin "github.com/cyphar/filepath-securejoin"
"github.com/opencontainers/runc/libcontainer/user"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
@ -188,11 +188,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
// Apply AppArmor checks and load the default profile if needed.
if !c.config.Privileged {
updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile)
if err != nil {
return nil, err
}
g.SetProcessApparmorProfile(updatedProfile)
}
if err := c.makeBindMounts(); err != nil {
return nil, err

10
test/test_podman_baseline.sh
View File

@ -504,6 +504,16 @@ EOF
echo "failed"
fi
#Expected to pass (as root with --privileged).
#Note that the profile should not be loaded letting the mount succeed.
podman run --privileged docker.io/library/alpine:latest sh -c "mkdir tmp2; mount --bind tmp tmp2"
rc=$?
echo -n "root with specified AppArmor profile but --privileged: "
if [ $rc == 0 ]; then
echo "passed"
else
echo "failed"
fi
#Expected to fail (as rootless)
sudo -u "#1000" podman run --security-opt apparmor=$aaProfile docker.io/library/alpine:latest echo hello
rc=$?