Merge pull request #4709 from AkihiroSuda/ctr-apparmor

crosbymichael · web-flow · commit 5f74840a9a3b · 2020-11-10T10:21:51.000-05:00
ctr: add AppArmor flags
diff --git a/cmd/ctr/commands/commands.go b/cmd/ctr/commands/commands.go
@@ -163,6 +163,14 @@ var (
 			Name:  "seccomp-profile",
 			Usage: "file path to custom seccomp profile. seccomp must be set to true, before using seccomp-profile",
 		},
+		cli.StringFlag{
+			Name:  "apparmor-default-profile",
+			Usage: "enable AppArmor with the default profile with the specified name, e.g. \"cri-containerd.apparmor.d\"",
+		},
+		cli.StringFlag{
+			Name:  "apparmor-profile",
+			Usage: "enable AppArmor with an existing custom profile",
+		},
 	}
 )
 
diff --git a/cmd/ctr/commands/run/run_unix.go b/cmd/ctr/commands/run/run_unix.go
@@ -27,6 +27,7 @@ import (
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cmd/ctr/commands"
+	"github.com/containerd/containerd/contrib/apparmor"
 	"github.com/containerd/containerd/contrib/nvidia"
 	"github.com/containerd/containerd/contrib/seccomp"
 	"github.com/containerd/containerd/oci"
@@ -206,6 +207,17 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 			}
 		}
 
+		if s := context.String("apparmor-default-profile"); len(s) > 0 {
+			opts = append(opts, apparmor.WithDefaultProfile(s))
+		}
+
+		if s := context.String("apparmor-profile"); len(s) > 0 {
+			if len(context.String("apparmor-default-profile")) > 0 {
+				return nil, fmt.Errorf("apparmor-profile conflicts with apparmor-default-profile")
+			}
+			opts = append(opts, apparmor.WithProfile(s))
+		}
+
 		if cpus := context.Float64("cpus"); cpus > 0.0 {
 			var (
 				period = uint64(100000)

Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,14 @@ var (`
`163`	`163`	`Name: "seccomp-profile",`
`164`	`164`	`Usage: "file path to custom seccomp profile. seccomp must be set to true, before using seccomp-profile",`
`165`	`165`	`},`
	`166`	`+ cli.StringFlag{`
	`167`	`+ Name: "apparmor-default-profile",`
	`168`	`+ Usage: "enable AppArmor with the default profile with the specified name, e.g. \"cri-containerd.apparmor.d\"",`
	`169`	`+ },`
	`170`	`+ cli.StringFlag{`
	`171`	`+ Name: "apparmor-profile",`
	`172`	`+ Usage: "enable AppArmor with an existing custom profile",`
	`173`	`+ },`
`166`	`174`	`}`
`167`	`175`	`)`
`168`	`176`