docker/bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch

61 lines
2.2 KiB
Diff
Raw Normal View History

From 9783e1791fc438751b327023b0cd7d392e54084f Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Thu, 18 May 2017 00:02:00 +1000
Subject: [PATCH] apparmor: make pkg/aaparser work on read-only root
This is necessary because normally `apparmor_parser -r` will try to
create a temporary directory on the host (which is not allowed if the
host has a rootfs). However, the -K option bypasses saving things to the
cache (which avoids this issue).
% apparmor_parser -r /tmp/docker-profile
mkstemp: Read-only file system
% apparmor_parser -Kr /tmp/docker-profile
%
In addition, add extra information to the ensureDefaultAppArmorProfile
errors so that problems like this are easier to debug.
Fixes: 2f7596aaef3a ("apparmor: do not save profile to /etc/apparmor.d")
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
daemon/apparmor_default.go | 2 +-
pkg/aaparser/aaparser.go | 7 ++++---
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
index 09dd0541b872..2a418b25c241 100644
--- a/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go
@@ -28,7 +28,7 @@ func ensureDefaultAppArmorProfile() error {
// Load the profile.
if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil {
- return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", defaultApparmorProfile)
+ return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err)
}
}
diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
index e794c4c729e2..5de4a4d79b35 100644
--- a/pkg/aaparser/aaparser.go
+++ b/pkg/aaparser/aaparser.go
@@ -22,10 +22,11 @@ func GetVersion() (int, error) {
return parseVersion(output)
}
-// LoadProfile runs `apparmor_parser -r` on a specified apparmor profile to
-// replace the profile.
+// LoadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to
+// replace the profile. The `-K` is necessary to make sure that apparmor_parser
+// doesn't try to write to a read-only filesystem.
func LoadProfile(profilePath string) error {
- _, err := cmd("", "-r", profilePath)
+ _, err := cmd("", "-Kr", profilePath)
return err
}
--
2.12.2