diff options
author | Sebastiaan van Stijn <github@gone.nl> | 2018-03-02 13:17:56 +0100 |
---|---|---|
committer | Sebastiaan van Stijn <github@gone.nl> | 2018-03-02 14:05:36 +0100 |
commit | 8f3308ae10ec9ad0dd4edfb46fde53a0e1e19b34 (patch) | |
tree | 5403260f825889eca37810f875b5ff9114b4ff0c /daemon/exec_linux.go | |
parent | 75377ec12c44fed7d5dcb131438ae88d9fe7df84 (diff) | |
download | docker-8f3308ae10ec9ad0dd4edfb46fde53a0e1e19b34.tar.gz |
Fix AppArmor not being applied to Exec processes
Exec processes do not automatically inherit AppArmor
profiles from the container.
This patch sets the AppArmor profile for the exec
process.
Before this change:
apparmor_parser -q -r <<EOF
#include <tunables/global>
profile deny-write flags=(attach_disconnected) {
#include <abstractions/base>
file,
network,
deny /tmp/** w,
capability,
}
EOF
docker run -dit --security-opt "apparmor=deny-write" --name aa busybox
docker exec aa sh -c 'mkdir /tmp/test'
(no error)
With this change applied:
docker exec aa sh -c 'mkdir /tmp/test'
mkdir: can't create directory '/tmp/test': Permission denied
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Diffstat (limited to 'daemon/exec_linux.go')
-rw-r--r-- | daemon/exec_linux.go | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/daemon/exec_linux.go b/daemon/exec_linux.go index 1ed26c2fcc..cd52f4886f 100644 --- a/daemon/exec_linux.go +++ b/daemon/exec_linux.go @@ -34,6 +34,8 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config if c.AppArmorProfile != "" { appArmorProfile = c.AppArmorProfile } else if c.HostConfig.Privileged { + // `docker exec --privileged` does not currently disable AppArmor + // profiles. Privileged configuration of the container is inherited appArmorProfile = "unconfined" } else { appArmorProfile = "docker-default" @@ -50,6 +52,7 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config return err } } + p.ApparmorProfile = appArmorProfile } daemon.setRlimits(&specs.Spec{Process: p}, c) return nil |