github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

contrib/apparmor: expose LoadDefaultProfile

Browse Source 
Expected to be used by nerdctl: 6026ae740a/internal_oci_hook.go (L170-L180)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2020-12-11 19:59:51 +09:00
parent 7b0149ac4a
commit 7b04b3cbb6
No known key found for this signature in database
GPG Key ID: 49524C6F9F638F1A
1 changed files with 32 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
contrib/apparmor/apparmor.go
View File

@ -41,12 +41,22 @@ func WithProfile(profile string) oci.SpecOpts {
// for the container. It is only generated if a profile under that name does not exist. // for the container. It is only generated if a profile under that name does not exist.
func WithDefaultProfile(name string) oci.SpecOpts { func WithDefaultProfile(name string) oci.SpecOpts {
return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
if err := LoadDefaultProfile(name); err != nil {
return err
}
s.Process.ApparmorProfile = name
return nil
}
}
// LoadDefaultProfile ensures the default profile to be loaded with the given name.
// Returns nil error if the profile is already loaded.
func LoadDefaultProfile(name string) error {
yes, err := isLoaded(name) yes, err := isLoaded(name)
if err != nil { if err != nil {
return err return err
} }
if yes { if yes {
s.Process.ApparmorProfile = name
return nil return nil
} }
p, err := loadData(name) p, err := loadData(name)
@ -67,7 +77,5 @@ func WithDefaultProfile(name string) oci.SpecOpts {
if err := load(path); err != nil { if err := load(path); err != nil {
return errors.Wrapf(err, "load apparmor profile %s", path) return errors.Wrapf(err, "load apparmor profile %s", path)
} }
s.Process.ApparmorProfile = name
return nil return nil
}
} }