Skip to content

Commit ab3fa46

Browse files
vvolandvvoland
committed
apparmor: Check if apparmor_parser is available
`hostSupports` doesn't check if the apparmor_parser is available. It's possible in some environments that the apparmor will be enabled but the tool to load the profile is not available which will cause the ensureDefaultAppArmorProfile to fail completely. This patch checks if the apparmor_parser is available. Otherwise the function returns early, but still logs a warning to the daemon log. Signed-off-by: Paweł Gronowski <[email protected]>
1 parent dee7ff4 commit ab3fa46

1 file changed

Lines changed: 22 additions & 1 deletion

File tree

daemon/apparmor_default.go

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,12 @@ package daemon // import "github.com/docker/docker/daemon"
55

66
import (
77
"fmt"
8+
"os"
9+
"sync"
810

911
"github.com/containerd/containerd/pkg/apparmor"
1012
aaprofile "github.com/docker/docker/profiles/apparmor"
13+
"github.com/sirupsen/logrus"
1114
)
1215

1316
// Define constants for native driver
@@ -16,6 +19,11 @@ const (
1619
defaultAppArmorProfile = "docker-default"
1720
)
1821

22+
var (
23+
checkAppArmorOnce sync.Once
24+
isAppArmorAvailable bool
25+
)
26+
1927
// DefaultApparmorProfile returns the name of the default apparmor profile
2028
func DefaultApparmorProfile() string {
2129
if apparmor.HostSupports() {
@@ -25,7 +33,20 @@ func DefaultApparmorProfile() string {
2533
}
2634

2735
func ensureDefaultAppArmorProfile() error {
28-
if apparmor.HostSupports() {
36+
checkAppArmorOnce.Do(func() {
37+
if apparmor.HostSupports() {
38+
// Restore the apparmor_parser check removed in containerd:
39+
// https://github.com/containerd/containerd/commit/1acca8bba36e99684ee3489ea4a42609194ca6b9
40+
// Fixes: https://github.com/moby/moby/issues/44900
41+
if _, err := os.Stat("/sbin/apparmor_parser"); err == nil {
42+
isAppArmorAvailable = true
43+
} else {
44+
logrus.Warn("AppArmor enabled on system but \"apparmor_parser\" binary is missing, so profile can't be loaded")
45+
}
46+
}
47+
})
48+
49+
if isAppArmorAvailable {
2950
loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
3051
if err != nil {
3152
return fmt.Errorf("Could not check if %s AppArmor profile was loaded: %s", defaultAppArmorProfile, err)

0 commit comments

Comments
 (0)