mirror of
https://github.com/containers/podman.git
synced 2025-12-03 11:49:18 +08:00
edb285d176
Apply the default AppArmor profile at container initialization to cover
all possible code paths (i.e., podman-{start,run}) before executing the
runtime. This allows moving most of the logic into pkg/apparmor.
Also make the loading and application of the default AppArmor profile
versio-indepenent by checking for the `libpod-default-` prefix and
over-writing the profile in the run-time spec if needed.
The intitial run-time spec of the container differs a bit from the
applied one when having started the container, which results in
displaying a potentially outdated AppArmor profile when inspecting
a container. To fix that, load the container config from the file
system if present and use it to display the data.
Fixes: #2107
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
18 lines
694 B
Go
18 lines
694 B
Go
package apparmor
|
|
|
|
import (
|
|
"errors"
|
|
libpodVersion "github.com/containers/libpod/version"
|
|
)
|
|
|
|
var (
|
|
// DefaultLipodProfilePrefix is used for version-independent presence checks.
|
|
DefaultLipodProfilePrefix = "libpod-default" + "-"
|
|
// DefaultLibpodProfile is the name of default libpod AppArmor profile.
|
|
DefaultLibpodProfile = DefaultLipodProfilePrefix + libpodVersion.Version
|
|
// ErrApparmorUnsupported indicates that AppArmor support is not supported.
|
|
ErrApparmorUnsupported = errors.New("AppArmor is not supported")
|
|
// ErrApparmorRootless indicates that AppArmor support is not supported in rootless mode.
|
|
ErrApparmorRootless = errors.New("AppArmor is not supported in rootless mode")
|
|
)
|