Skip to content
This repository was archived by the owner on Mar 9, 2022. It is now read-only.

Commit f5a171f

Browse files
Random-LiuRandom-Liu
committed
Fix apparmor for privileged.
Signed-off-by: Lantao Liu <[email protected]>
1 parent d928a4d commit f5a171f

2 files changed

Lines changed: 18 additions & 10 deletions

File tree

pkg/server/container_create.go

Lines changed: 9 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -371,14 +371,14 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
371371

372372
if !c.config.DisableProcMount {
373373
// Apply masked paths if specified.
374-
// Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged()
374+
// If the container is privileged, this will be cleared later on.
375375
g.Config.Linux.MaskedPaths = nil
376376
for _, path := range securityContext.GetMaskedPaths() {
377377
g.AddLinuxMaskedPaths(path)
378378
}
379379

380380
// Apply readonly paths if specified.
381-
// Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged()
381+
// If the container is privileged, this will be cleared later on.
382382
g.Config.Linux.ReadonlyPaths = nil
383383
for _, path := range securityContext.GetReadonlyPaths() {
384384
g.AddLinuxReadonlyPaths(path)
@@ -956,18 +956,17 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
956956
return nil, nil
957957
}
958958
switch apparmorProf {
959-
case runtimeDefault:
960-
// TODO (mikebrow): delete created apparmor default profile
961-
return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
962-
case unconfinedProfile:
963-
return nil, nil
964-
case "":
965-
// Based on kubernetes#51746, default apparmor profile should be applied
966-
// for non-privileged container when apparmor is not specified.
959+
// Based on kubernetes#51746, default apparmor profile should be applied
960+
// for when apparmor is not specified.
961+
case runtimeDefault, "":
967962
if privileged {
963+
// Do not set apparmor profile when container is privileged
968964
return nil, nil
969965
}
966+
// TODO (mikebrow): delete created apparmor default profile
970967
return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
968+
case unconfinedProfile:
969+
return nil, nil
971970
default:
972971
// Require and Trim default profile name prefix
973972
if !strings.HasPrefix(apparmorProf, profileNamePrefix) {

pkg/server/container_create_test.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -982,10 +982,19 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
982982
profile: runtimeDefault,
983983
specOpts: apparmor.WithDefaultProfile(appArmorDefaultProfileName),
984984
},
985+
"should not apparmor when apparmor is default and privileged is true": {
986+
profile: runtimeDefault,
987+
privileged: true,
988+
},
985989
"should set specified profile when local profile is specified": {
986990
profile: profileNamePrefix + "test-profile",
987991
specOpts: apparmor.WithProfile("test-profile"),
988992
},
993+
"should set apparmor when local profile is specified and privileged is true": {
994+
profile: profileNamePrefix + "test-profile",
995+
privileged: true,
996+
specOpts: apparmor.WithProfile("test-profile"),
997+
},
989998
"should return error if specified profile is invalid": {
990999
profile: "test-profile",
9911000
expectErr: true,

0 commit comments

Comments
 (0)