bsc1073877: apparmor: clobber docker-default profile on start

In the process of making docker-default reloading far less expensive, 567ef8e ("daemon: switch to 'ensure' workflow for AppArmor profiles") mistakenly made the initial profile load at dockerd start-up lazy. As a result, if you have a running Docker daemon and upgrade it to a new one with an updated AppArmor profile the new profile will not take effect (because the old one is still loaded). The fix for this is quite trivial, and just requires us to clobber the profile on start-up. Fixes: 567ef8e ("daemon: switch to 'ensure' workflow for AppArmor profiles") SUSE-Bugs: bsc#1099277 Signed-off-by: Aleksa Sarai <[email protected]>
SUSE · Dec 11, 2024 · 6a3ee39 · 6a3ee39
1 parent 7b07c25
commit 6a3ee39
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 6 deletions.
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
@@ -24,6 +24,15 @@ func DefaultApparmorProfile() string {
 	return ""
 }
 
+func clobberDefaultAppArmorProfile() error {
+	if apparmor.HostSupports() {
+		if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil {
+			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err)
+		}
+	}
+	return nil
+}
+
 func ensureDefaultAppArmorProfile() error {
 	if apparmor.HostSupports() {
 		loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
@@ -37,10 +46,7 @@ func ensureDefaultAppArmorProfile() error {
 		}
 
 		// Load the profile.
-		if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil {
-			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err)
-		}
+		return clobberDefaultAppArmorProfile()
 	}
-
 	return nil
 }
diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
@@ -3,6 +3,10 @@
 
 package daemon // import "github.com/docker/docker/daemon"
 
+func clobberDefaultAppArmorProfile() error {
+	return nil
+}
+
 func ensureDefaultAppArmorProfile() error {
 	return nil
 }

diff --git a/daemon/daemon.go b/daemon/daemon.go
@@ -845,8 +845,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 		logrus.Warnf("Failed to configure golang's threads limit: %v", err)
 	}
 
-	// ensureDefaultAppArmorProfile does nothing if apparmor is disabled
-	if err := ensureDefaultAppArmorProfile(); err != nil {
+	// Make sure we clobber any pre-existing docker-default profile to ensure
+	// that upgrades to the profile actually work smoothly.
+	if err := clobberDefaultAppArmorProfile(); err != nil {
 		logrus.Errorf(err.Error())
 	}