mirror of
https://github.com/opencontainers/runc.git
synced 2026-07-11 22:37:14 +08:00
bfb4ea1b1b
The `apparmor_parser` binary is not really required for a system to run AppArmor from a runc perspective. How to apply the profile is more in the responsibility of higher level runtimes like Podman and Docker, which may do the binary check on their own. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
60 lines
1.3 KiB
Go
60 lines
1.3 KiB
Go
// +build apparmor,linux
|
|
|
|
package apparmor
|
|
|
|
import (
|
|
"bytes"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
|
|
"github.com/opencontainers/runc/libcontainer/utils"
|
|
)
|
|
|
|
// IsEnabled returns true if apparmor is enabled for the host.
|
|
func IsEnabled() bool {
|
|
if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil {
|
|
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
|
|
return err == nil && bytes.HasPrefix(buf, []byte("Y"))
|
|
}
|
|
return false
|
|
}
|
|
|
|
func setProcAttr(attr, value string) error {
|
|
// Under AppArmor you can only change your own attr, so use /proc/self/
|
|
// instead of /proc/<tid>/ like libapparmor does
|
|
path := fmt.Sprintf("/proc/self/attr/%s", attr)
|
|
|
|
f, err := os.OpenFile(path, os.O_WRONLY, 0)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer f.Close()
|
|
|
|
if err := utils.EnsureProcHandle(f); err != nil {
|
|
return err
|
|
}
|
|
|
|
_, err = fmt.Fprintf(f, "%s", value)
|
|
return err
|
|
}
|
|
|
|
// changeOnExec reimplements aa_change_onexec from libapparmor in Go
|
|
func changeOnExec(name string) error {
|
|
value := "exec " + name
|
|
if err := setProcAttr("exec", value); err != nil {
|
|
return fmt.Errorf("apparmor failed to apply profile: %s", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ApplyProfile will apply the profile with the specified name to the process after
|
|
// the next exec.
|
|
func ApplyProfile(name string) error {
|
|
if name == "" {
|
|
return nil
|
|
}
|
|
|
|
return changeOnExec(name)
|
|
}
|