opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-09-23 13:13:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

AppArmor: runtime check if it's enabled on the host

Browse Source 
Check at runtime if AppArmor is enabled on the host.

Signed-off-by: Valentin Rothberg <vrothberg@suse.com>

Closes: #1128
Approved by: mheon
This commit is contained in:
Valentin Rothberg
2018-07-22 17:45:36 +02:00
committed by Atomic Bot
parent 2c11e38b24
commit 8569ed0305
7 changed files with 96 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go generated vendored Normal file
View File

@ -0,0 +1,54 @@
// +build apparmor,linux
package apparmor
import (
"fmt"
"io/ioutil"
"os"
)
// IsEnabled returns true if apparmor is enabled for the host.
func IsEnabled() bool {
if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
return err == nil && len(buf) > 1 && buf[0] == 'Y'
}
}
return false
}
func setprocattr(attr, value string) error {
// Under AppArmor you can only change your own attr, so use /proc/self/
// instead of /proc/<tid>/ like libapparmor does
path := fmt.Sprintf("/proc/self/attr/%s", attr)
f, err := os.OpenFile(path, os.O_WRONLY, 0)
if err != nil {
return err
}
defer f.Close()
_, err = fmt.Fprintf(f, "%s", value)
return err
}
// changeOnExec reimplements aa_change_onexec from libapparmor in Go
func changeOnExec(name string) error {
value := "exec " + name
if err := setprocattr("exec", value); err != nil {
return fmt.Errorf("apparmor failed to apply profile: %s", err)
}
return nil
}
// ApplyProfile will apply the profile with the specified name to the process after
// the next exec.
func ApplyProfile(name string) error {
if name == "" {
return nil
}
return changeOnExec(name)
}

20
vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_disabled.go generated vendored Normal file
View File

@ -0,0 +1,20 @@
// +build !apparmor !linux
package apparmor
import (
"errors"
)
var ErrApparmorNotEnabled = errors.New("apparmor: config provided but apparmor not supported")
func IsEnabled() bool {
return false
}
func ApplyProfile(name string) error {
if name != "" {
return ErrApparmorNotEnabled
}
return nil
}