Provide mechanism to opt-out of app armor

Explicitly setting garden.apparmor_profile to '' will disable app armor.
cloudfoundry · Jan 10, 2017 · 0b6c4b7 · 0b6c4b7
1 parent 55c1381
commit 0b6c4b7
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/jobs/garden/templates/garden_ctl.erb b/jobs/garden/templates/garden_ctl.erb
@@ -64,15 +64,17 @@ function create_loop_devices() {
 
 function setup_apparmor() {
   export PATH=$PATH:$(readlink -nf /var/vcap/packages/apparmor/bin)
-  POLICY=garden-default
+  POLICY=<%= p("garden.apparmor_profile") %>
   CONFIG_DIR=/var/vcap/jobs/garden/config
 
   if ! mountpoint -q /sys/kernel/security; then
     mount -t securityfs securityfs /sys/kernel/security
   fi
 
-  if ! aa-status | grep $POLICY > /dev/null; then
-    apparmor_parser -a $CONFIG_DIR/$POLICY
+  if [ -n "$POLICY" ]; then
+    if ! aa-status | grep $POLICY > /dev/null; then
+        apparmor_parser -a $CONFIG_DIR/$POLICY
+    fi
   fi
 }
 
@@ -217,8 +219,8 @@ case $1 in
     <% p("garden.dns_servers").each do |server| %> \
       --dns-server=<%= server %> \
     <% end %> \
-    <% if_p("garden.apparmor_profile") do |apparmor_profile| %> \
-      --apparmor=<%= apparmor_profile %> \
+    <% unless p("garden.apparmor_profile").to_s.empty?  %> \
+      --apparmor=<%= p("garden.apparmor_profile") %> \
     <% end %>
     ;;