From 5472f39022e99c14b2f055eac4d9619e3663ae20 Mon Sep 17 00:00:00 2001
From: Brian Goff <cpuguy83@gmail.com>
Date: Fri, 9 Oct 2020 17:20:48 +0000
Subject: [PATCH] buildkit: Apply apparmor profile

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 611eb6ffb32aa37876b4b47cec12e4fd47610838)

Renamed constant defaultAppArmorProfile to defaultApparmorProfile.

Signed-off-by: Tibor Vass <tibor@docker.com>
---
 builder/builder-next/builder.go          | 1 +
 builder/builder-next/controller.go       | 2 +-
 builder/builder-next/executor_unix.go    | 3 ++-
 builder/builder-next/executor_windows.go | 2 +-
 cmd/dockerd/daemon.go                    | 1 +
 daemon/apparmor_default.go               | 8 ++++++++
 daemon/apparmor_default_unsupported.go   | 5 +++++
 7 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/builder/builder-next/builder.go b/builder/builder-next/builder.go
index 10c0083a31..f334a39267 100644
--- a/builder/builder-next/builder.go
+++ b/builder/builder-next/builder.go
@@ -76,6 +76,7 @@ type Opt struct {
 	Rootless            bool
 	IdentityMapping     *idtools.IdentityMapping
 	DNSConfig           config.DNSConfig
+	ApparmorProfile     string
 }
 
 // Builder can build using BuildKit backend
diff --git a/builder/builder-next/controller.go b/builder/builder-next/controller.go
index 33d3f54964..d5fa7f6c29 100644
--- a/builder/builder-next/controller.go
+++ b/builder/builder-next/controller.go
@@ -116,7 +116,7 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {
 
 	dns := getDNSConfig(opt.DNSConfig)
 
-	exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, dns, opt.Rootless, opt.IdentityMapping)
+	exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, dns, opt.Rootless, opt.IdentityMapping, opt.ApparmorProfile)
 	if err != nil {
 		return nil, err
 	}
diff --git a/builder/builder-next/executor_unix.go b/builder/builder-next/executor_unix.go
index d684b9f6e2..d04334a004 100644
--- a/builder/builder-next/executor_unix.go
+++ b/builder/builder-next/executor_unix.go
@@ -24,7 +24,7 @@ import (
 
 const networkName = "bridge"
 
-func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dnsConfig *oci.DNSConfig, rootless bool, idmap *idtools.IdentityMapping) (executor.Executor, error) {
+func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dnsConfig *oci.DNSConfig, rootless bool, idmap *idtools.IdentityMapping, apparmorProfile string) (executor.Executor, error) {
 	networkProviders := map[pb.NetMode]network.Provider{
 		pb.NetMode_UNSET: &bridgeProvider{NetworkController: net, Root: filepath.Join(root, "net")},
 		pb.NetMode_HOST:  network.NewHostProvider(),
@@ -38,6 +38,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dn
 		NoPivot:             os.Getenv("DOCKER_RAMDISK") != "",
 		IdentityMapping:     idmap,
 		DNS:                 dnsConfig,
+		ApparmorProfile:     apparmorProfile,
 	}, networkProviders)
 }
 
diff --git a/builder/builder-next/executor_windows.go b/builder/builder-next/executor_windows.go
index 6de6d529f3..4d80baf7ee 100644
--- a/builder/builder-next/executor_windows.go
+++ b/builder/builder-next/executor_windows.go
@@ -13,7 +13,7 @@ import (
 	"github.com/moby/buildkit/executor/oci"
 )
 
-func newExecutor(_, _ string, _ libnetwork.NetworkController, _ *oci.DNSConfig, _ bool, _ *idtools.IdentityMapping) (executor.Executor, error) {
+func newExecutor(_, _ string, _ libnetwork.NetworkController, _ *oci.DNSConfig, _ bool, _ *idtools.IdentityMapping, _ string) (executor.Executor, error) {
 	return &winExecutor{}, nil
 }
 
diff --git a/cmd/dockerd/daemon.go b/cmd/dockerd/daemon.go
index b26e07186c..c3942f238b 100644
--- a/cmd/dockerd/daemon.go
+++ b/cmd/dockerd/daemon.go
@@ -314,6 +314,7 @@ func newRouterOptions(config *config.Config, d *daemon.Daemon) (routerOptions, e
 		Rootless:            d.Rootless(),
 		IdentityMapping:     d.IdentityMapping(),
 		DNSConfig:           config.DNSConfig,
+		ApparmorProfile:     daemon.DefaultApparmorProfile(),
 	})
 	if err != nil {
 		return opts, err
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
index 461f5c7f96..78511ea68c 100644
--- a/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go
@@ -14,6 +14,14 @@ const (
 	defaultApparmorProfile = "docker-default"
 )
 
+// DefaultApparmorProfile returns the name of the default apparmor profile
+func DefaultApparmorProfile() string {
+	if apparmor.IsEnabled() {
+		return defaultApparmorProfile
+	}
+	return ""
+}
+
 func ensureDefaultAppArmorProfile() error {
 	if apparmor.IsEnabled() {
 		loaded, err := aaprofile.IsLoaded(defaultApparmorProfile)
diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
index 51f9c526b3..dd581dc7da 100644
--- a/daemon/apparmor_default_unsupported.go
+++ b/daemon/apparmor_default_unsupported.go
@@ -5,3 +5,8 @@ package daemon // import "github.com/docker/docker/daemon"
 func ensureDefaultAppArmorProfile() error {
 	return nil
 }
+
+// DefaultApparmorProfile returns an empty string.
+func DefaultApparmorProfile() string {
+	return ""
+}