Apply apparmor before restrictions

There is not need for the remount hack, we use aa_change_onexec so the apparmor profile is not applied until we exec the users app. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
docker-archive · May 2, 2014 · 08dbd53 · 08dbd53
1 parent 3720dca
commit 08dbd53
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 33 deletions.
diff --git a/console/console.go b/console/console.go
@@ -4,11 +4,12 @@ package console
 
 import (
 	"fmt"
-	"github.com/dotcloud/docker/pkg/label"
-	"github.com/dotcloud/docker/pkg/system"
 	"os"
 	"path/filepath"
 	"syscall"
+
+	"github.com/dotcloud/docker/pkg/label"
+	"github.com/dotcloud/docker/pkg/system"
 )
 
 // Setup initializes the proper /dev/console inside the rootfs path

diff --git a/nsinit/init.go b/nsinit/init.go
@@ -72,18 +72,17 @@ func Init(container *libcontainer.Container, uncleanRootfs, consolePath string,
 
 	runtime.LockOSThread()
 
+	if err := apparmor.ApplyProfile(container.Context["apparmor_profile"]); err != nil {
+		return fmt.Errorf("set apparmor profile %s: %s", container.Context["apparmor_profile"], err)
+	}
+	if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
+		return fmt.Errorf("set process label %s", err)
+	}
 	if container.Context["restrictions"] != "" {
 		if err := restrict.Restrict(); err != nil {
 			return err
 		}
 	}
-
-	if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
-		return err
-	}
-	if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
-		return fmt.Errorf("set process label %s", err)
-	}
 	if err := FinalizeNamespace(container); err != nil {
 		return fmt.Errorf("finalize namespace %s", err)
 	}

diff --git a/security/restrict/restrict.go b/security/restrict/restrict.go
@@ -4,8 +4,6 @@ package restrict
 
 import (
 	"fmt"
-	"os"
-	"path/filepath"
 	"syscall"
 
 	"github.com/dotcloud/docker/pkg/system"
@@ -23,26 +21,5 @@ func Restrict() error {
 	if err := system.Mount("/dev/null", "/proc/kcore", "", syscall.MS_BIND, ""); err != nil {
 		return fmt.Errorf("unable to bind-mount /dev/null over /proc/kcore")
 	}
-
-	// This weird trick will allow us to mount /proc read-only, while being able to use AppArmor.
-	// This is because apparently, loading an AppArmor profile requires write access to /proc/1/attr.
-	// So we do another mount of procfs, ensure it's write-able, and bind-mount a subset of it.
-	if err := os.Mkdir(".proc", 0700); err != nil {
-		return fmt.Errorf("unable to create temporary proc mountpoint .proc: %s", err)
-	}
-	if err := system.Mount("proc", ".proc", "proc", 0, ""); err != nil {
-		return fmt.Errorf("unable to mount proc on temporary proc mountpoint: %s", err)
-	}
-	if err := system.Mount("proc", ".proc", "", syscall.MS_REMOUNT, ""); err != nil {
-		return fmt.Errorf("unable to remount proc read-write: %s", err)
-	}
-	for _, path := range []string{"attr", "task"} {
-		if err := system.Mount(filepath.Join(".proc", "1", path), filepath.Join("proc", "1", path), "", syscall.MS_BIND, ""); err != nil {
-			return fmt.Errorf("unable to bind-mount %s: %s", path, err)
-		}
-	}
-	if err := system.Unmount(".proc", 0); err != nil {
-		return fmt.Errorf("unable to unmount temporary proc filesystem: %s", err)
-	}
-	return os.RemoveAll(".proc")
+	return nil
 }