Use CGO for apparmor profile switch

Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <[email protected]> (github: creack)
AkihiroSuda · Mar 6, 2014 · d5957ad · d5957ad
1 parent bbf833d
commit d5957ad
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 12 deletions.
diff --git a/apparmor/apparmor.go b/apparmor/apparmor.go
@@ -1,9 +1,12 @@
 package apparmor
 
+// #cgo LDFLAGS: -lapparmor
+// #include <sys/apparmor.h>
+// #include <stdlib.h>
+import "C"
 import (
-	"fmt"
 	"io/ioutil"
-	"os"
+	"unsafe"
 )
 
 func IsEnabled() bool {
@@ -16,13 +19,10 @@ func ApplyProfile(pid int, name string) error {
 		return nil
 	}
 
-	f, err := os.OpenFile(fmt.Sprintf("/proc/%d/attr/current", pid), os.O_WRONLY, 0)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
+	cName := C.CString(name)
+	defer C.free(unsafe.Pointer(cName))
 
-	if _, err := fmt.Fprintf(f, "changeprofile %s", name); err != nil {
+	if _, err := C.aa_change_onexec(cName); err != nil {
 		return err
 	}
 	return nil

diff --git a/nsinit/init.go b/nsinit/init.go
@@ -59,10 +59,6 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
 		return fmt.Errorf("setup mount namespace %s", err)
 	}
 
-	if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
-		return err
-	}
-
 	if err := setupNetwork(container, context); err != nil {
 		return fmt.Errorf("setup networking %s", err)
 	}
@@ -73,6 +69,9 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
 		return fmt.Errorf("finalize namespace %s", err)
 	}
 
+	if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
+		return err
+	}
 	return system.Execv(args[0], args[0:], container.Env)
 }