From 04f594765577163a26f24d0fe3fc7a2283f1e018 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 29 Jun 2018 17:59:30 +1000 Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start In the process of making docker-default reloading far less expensive, 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles") mistakenly made the initial profile load at dockerd start-up lazy. As a result, if you have a running Docker daemon and upgrade it to a new one with an updated AppArmor profile the new profile will not take effect (because the old one is still loaded). The fix for this is quite trivial, and just requires us to clobber the profile on start-up. Fixes: 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles") SUSE-Bugs: bsc#1099277 Signed-off-by: Aleksa Sarai --- components/engine/daemon/apparmor_default.go | 14 ++++++++++---- .../engine/daemon/apparmor_default_unsupported.go | 4 ++++ components/engine/daemon/daemon.go | 4 +++- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/components/engine/daemon/apparmor_default.go b/components/engine/daemon/apparmor_default.go index 461f5c7f96b2..8f21c5c0c566 100644 --- a/components/engine/daemon/apparmor_default.go +++ b/components/engine/daemon/apparmor_default.go @@ -14,6 +14,15 @@ const ( defaultApparmorProfile = "docker-default" ) +func clobberDefaultAppArmorProfile() error { + if apparmor.IsEnabled() { + if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil { + return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err) + } + } + return nil +} + func ensureDefaultAppArmorProfile() error { if apparmor.IsEnabled() { loaded, err := aaprofile.IsLoaded(defaultApparmorProfile) @@ -27,10 +36,7 @@ func ensureDefaultAppArmorProfile() error { } // Load the profile. - if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil { - return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err) - } + return clobberDefaultAppArmorProfile() } - return nil } diff --git a/components/engine/daemon/apparmor_default_unsupported.go b/components/engine/daemon/apparmor_default_unsupported.go index 51f9c526b350..97d7758442ee 100644 --- a/components/engine/daemon/apparmor_default_unsupported.go +++ b/components/engine/daemon/apparmor_default_unsupported.go @@ -2,6 +2,10 @@ package daemon // import "github.com/docker/docker/daemon" +func clobberDefaultAppArmorProfile() error { + return nil +} + func ensureDefaultAppArmorProfile() error { return nil } diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go index a307863017ab..67cd286002bf 100644 --- a/components/engine/daemon/daemon.go +++ b/components/engine/daemon/daemon.go @@ -735,7 +735,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S logrus.Warnf("Failed to configure golang's threads limit: %v", err) } - if err := ensureDefaultAppArmorProfile(); err != nil { + // Make sure we clobber any pre-existing docker-default profile to ensure + // that upgrades to the profile actually work smoothly. + if err := clobberDefaultAppArmorProfile(); err != nil { logrus.Errorf(err.Error()) } -- 2.19.1