From 10acd8e7699d2014057e57bed9a7648c8097eb0e Mon Sep 17 00:00:00 2001
From: Lantao Liu <lantaol@google.com>
Date: Mon, 19 Aug 2019 15:26:31 -0700
Subject: [PATCH] Fix apparmor for privileged.

Signed-off-by: Lantao Liu <lantaol@google.com>
---
 pkg/server/container_create.go      | 19 +++++++++----------
 pkg/server/container_create_test.go |  9 +++++++++
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
index d6f9779c4..d34e66754 100644
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@@ -374,11 +374,11 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 
 	if !c.config.DisableProcMount {
 		// Apply masked paths if specified.
-		// Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged()
+		// If the container is privileged, this will be cleared later on.
 		specOpts = append(specOpts, oci.WithMaskedPaths(securityContext.GetMaskedPaths()))
 
 		// Apply readonly paths if specified.
-		// Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged()
+		// If the container is privileged, this will be cleared later on.
 		specOpts = append(specOpts, oci.WithReadonlyPaths(securityContext.GetReadonlyPaths()))
 	}
 
@@ -577,18 +577,17 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 		return nil, nil
 	}
 	switch apparmorProf {
-	case runtimeDefault:
+	// Based on kubernetes#51746, default apparmor profile should be applied
+	// for when apparmor is not specified.
+	case runtimeDefault, "":
+		if privileged {
+			// Do not set apparmor profile when container is privileged
+			return nil, nil
+		}
 		// TODO (mikebrow): delete created apparmor default profile
 		return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
 	case unconfinedProfile:
 		return nil, nil
-	case "":
-		// Based on kubernetes#51746, default apparmor profile should be applied
-		// for non-privileged container when apparmor is not specified.
-		if privileged {
-			return nil, nil
-		}
-		return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
 	default:
 		// Require and Trim default profile name prefix
 		if !strings.HasPrefix(apparmorProf, profileNamePrefix) {
diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go
index d340c27d5..6fb65cd22 100644
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@@ -1080,10 +1080,19 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
 			profile:  runtimeDefault,
 			specOpts: apparmor.WithDefaultProfile(appArmorDefaultProfileName),
 		},
+		"should not apparmor when apparmor is default and privileged is true": {
+			profile:    runtimeDefault,
+			privileged: true,
+		},
 		"should set specified profile when local profile is specified": {
 			profile:  profileNamePrefix + "test-profile",
 			specOpts: apparmor.WithProfile("test-profile"),
 		},
+		"should set apparmor when local profile is specified and privileged is true": {
+			profile:    profileNamePrefix + "test-profile",
+			privileged: true,
+			specOpts:   apparmor.WithProfile("test-profile"),
+		},
 		"should return error if specified profile is invalid": {
 			profile:   "test-profile",
 			expectErr: true,