From 9783e1791fc438751b327023b0cd7d392e54084f Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 18 May 2017 00:02:00 +1000 Subject: [PATCH] apparmor: make pkg/aaparser work on read-only root This is necessary because normally `apparmor_parser -r` will try to create a temporary directory on the host (which is not allowed if the host has a rootfs). However, the -K option bypasses saving things to the cache (which avoids this issue). % apparmor_parser -r /tmp/docker-profile mkstemp: Read-only file system % apparmor_parser -Kr /tmp/docker-profile % In addition, add extra information to the ensureDefaultAppArmorProfile errors so that problems like this are easier to debug. Fixes: 2f7596aaef3a ("apparmor: do not save profile to /etc/apparmor.d") Signed-off-by: Aleksa Sarai --- daemon/apparmor_default.go | 2 +- pkg/aaparser/aaparser.go | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go index 09dd0541b872..2a418b25c241 100644 --- a/daemon/apparmor_default.go +++ b/daemon/apparmor_default.go @@ -28,7 +28,7 @@ func ensureDefaultAppArmorProfile() error { // Load the profile. if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil { - return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", defaultApparmorProfile) + return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err) } } diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go index e794c4c729e2..5de4a4d79b35 100644 --- a/pkg/aaparser/aaparser.go +++ b/pkg/aaparser/aaparser.go @@ -22,10 +22,11 @@ func GetVersion() (int, error) { return parseVersion(output) } -// LoadProfile runs `apparmor_parser -r` on a specified apparmor profile to -// replace the profile. +// LoadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to +// replace the profile. The `-K` is necessary to make sure that apparmor_parser +// doesn't try to write to a read-only filesystem. func LoadProfile(profilePath string) error { - _, err := cmd("", "-r", profilePath) + _, err := cmd("", "-Kr", profilePath) return err } -- 2.12.2