Set's an apparmor profile on the OCI spec if one is configred on the
worker.
Adds selinux labels to containers (only added if selinux is enabled on
the system).
This assumes that the specified apparmor profile is already loaded on
the system and does not try to load it or even check if it is loaded.
SELinux support requires the `selinux` build tag to be added.
Likewise, `runc` would require both the `apparmor` and `selinux` build
tags.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Vendored go-selinux to v1.8.0
Fixed tests
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 68bb095353)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This has the nice side-effect of unifying the mount- and
non-mount-changes made due to processMode and securityMode.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
There's only a couple of things that are host-platform limited, i.e.,
security and process modes.
Everything else is specific to a target-platform. We can tell if we're
targeting a Linux platform, either on Linux or LCOW, by the presence of
the Linux key in the generated spec.
This doesn't introduce support for LCOW, as we'd need to plumb that down
from the caller. It will probably also need massaging to work with LCOW,
as some of the setup code here is probably incorrect for LCOW, e.g.,
the bind-mounts list may be incorrect.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
Brian Goff
Lu Jingxiao
Paul "TBBle" Hampson
Tibor Vass