pkg/apparmor: use a pipe instead of a tmp file

Use a pipe instead of a temporary file to load the apparmor profile.
This change has a measurable speed improvement for apparmor users.

Signed-off-by: Valentin Rothberg <vrothberg@suse.com>

Closes: #1262
Approved by: mheon

1 files changed, 51 insertions, 0 deletions

diff --git a/pkg/apparmor/apparmor_linux_test.go b/pkg/apparmor/apparmor_linux_test.go
index 4aa3753d9..ac3260723 100644
--- a/pkg/apparmor/apparmor_linux_test.go
+++ b/pkg/apparmor/apparmor_linux_test.go
@@ -3,6 +3,7 @@
 package apparmor
 
 import (
+	"os"
 	"testing"
 )
 
@@ -76,3 +77,53 @@ Copyright 2009-2012 Canonical Ltd.
 		}
 	}
 }
+
+func TestInstallDefault(t *testing.T) {
+	profile := "libpod-default-testing"
+	aapath := "/sys/kernel/security/apparmor/"
+
+	if _, err := os.Stat(aapath); err != nil {
+		t.Skip("AppArmor isn't available in this environment")
+	}
+
+	// removes `profile`
+	removeProfile := func() error {
+		path := aapath + ".remove"
+
+		f, err := os.OpenFile(path, os.O_APPEND|os.O_WRONLY, os.ModeAppend)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+
+		_, err = f.WriteString(profile)
+		return err
+	}
+
+	// makes sure `profile` is loaded according to `state`
+	checkLoaded := func(state bool) {
+		loaded, err := IsLoaded(profile)
+		if err != nil {
+			t.Fatalf("Error searching AppArmor profile '%s': %v", profile, err)
+		}
+		if state != loaded {
+			if state {
+				t.Fatalf("AppArmor profile '%s' isn't loaded but should", profile)
+			} else {
+				t.Fatalf("AppArmor profile '%s' is loaded but shouldn't", profile)
+			}
+		}
+	}
+
+	// test installing the profile
+	if err := InstallDefault(profile); err != nil {
+		t.Fatalf("Couldn't install AppArmor profile '%s': %v", profile, err)
+	}
+	checkLoaded(true)
+
+	// remove the profile and check again
+	if err := removeProfile(); err != nil {
+		t.Fatalf("Couldn't remove AppArmor profile '%s': %v", profile, err)
+	}
+	checkLoaded(false)
+}