Copied from github.com/moby/moby who already has a fix for it.
Tested manually on a Ubuntu 23.10 (beta) VM.
Fixes: #containers/podman/issues/20278
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
`github.com/pkg/errors` is deprecated since quite some time so we now
use the native error wrapping for more idiomatic golang.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
unparam and exportloopref already work without changes.
For revive I had to silence many naming issues. I decided to silence them
instead of changing the name because I didn't want to break any code.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
gofumpt is a stricter version of gofmt, basically making the code more
readable, and fixing the gocritic's octalLiterar warnings like this one:
pkg/util/util_supported.go:26:17: octalLiteral: use new octal literal style, 0o722 (gocritic)
return (perm & 0722) == 0700
^
Generated by gofumpt -w .
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This reverts commit 6994271ca4 since
it does not pass Podman CI (i.e., the rootless Ubuntu job fails).
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Previously, Podman would print an error if you tried to run a container
with an AppArmor profile as a non-root user, e.g.
$ podman run --security-opt apparmor=my-profile ...
Error: Apparmor profile "my-profile" specified, but Apparmor is not
enabled on this system
In fact, the only thing that Podman needs root privileges for is reading
/sys/kernel/security/apparmor/profiles to see if the profile is already
loaded, which isn't strictly necessary.
This commit removes the 'IsLoaded()' check that occurs when you try to
specify an AppArmor profile as a non-root user, as well as the other
checks in pkg/apparmor/ for whether the program is running as UID 0. The
check for whether the AppArmor profile is loaded should now be deferred
to the container runtime at the point where it writes to either
/proc/self/attr/exec or /proc/self/attr/apparmor/exec, since the write
should fail if the profile is not loaded.
Closes#958.
Signed-off-by: kernelmethod <17100608+kernelmethod@users.noreply.github.com>
If AppArmor is enabled, then we now check if the `apparmor_parser`
binary is either in `/sbin` or in `$PATH`.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Mostly all AppArmor errors are now wrapped to provide additional context
to the user what actually went wrong. We now only use the spelling
`AppArmor` rather than `apparmor` to give the errors a uniform look.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
The `execAAParser()` function also takes `stderr` into account when
parsing the output. This function is right now only called by the
`getAAParserVersion()` function. Depending on the system configuration,
it might be possible that `apparmor_parser` prints a warning, for
example if `/etc/apparmor/parser.conf` does not exist on the system. To
thake this input not into account for the version parsing, we now just
use `stdout` as the returned result.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
The default AppArmor profile is now prefixed with
`container-default-$VERSION`, whereas the version is now part of a new
`version` package.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Move pkg/sysinfo and pkg/apparmor out of libpod into containers/common.
This will allow other packages to use these libraries without requiring all of libpod.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Giuseppe Scrivano
Oleksandr Redko
Valentin Rothberg
Will Shand
Sascha Grunert
Paul Holzinger
Kir Kolyshkin
kernelmethod
Daniel J Walsh
Sascha Grunert