diff options
author | Valentin Rothberg <vrothberg@suse.com> | 2018-07-22 17:45:36 +0200 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-07-23 18:11:09 +0000 |
commit | 8569ed03056ce39e0dc163747089ed4b60b1b9b1 (patch) | |
tree | d1ab8cbae6dfc8ef27158f0b8890d2bec275e30d /vendor/github.com/opencontainers/runc/libcontainer | |
parent | 2c11e38b24942a18f43cb27d6c5145850a40be54 (diff) | |
download | podman-8569ed03056ce39e0dc163747089ed4b60b1b9b1.tar.gz podman-8569ed03056ce39e0dc163747089ed4b60b1b9b1.tar.bz2 podman-8569ed03056ce39e0dc163747089ed4b60b1b9b1.zip |
AppArmor: runtime check if it's enabled on the host
Check at runtime if AppArmor is enabled on the host.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1128
Approved by: mheon
Diffstat (limited to 'vendor/github.com/opencontainers/runc/libcontainer')
-rw-r--r-- | vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go | 54 | ||||
-rw-r--r-- | vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_disabled.go | 20 |
2 files changed, 74 insertions, 0 deletions
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go new file mode 100644 index 000000000..7fff0627f --- /dev/null +++ b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go @@ -0,0 +1,54 @@ +// +build apparmor,linux + +package apparmor + +import ( + "fmt" + "io/ioutil" + "os" +) + +// IsEnabled returns true if apparmor is enabled for the host. +func IsEnabled() bool { + if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" { + if _, err = os.Stat("/sbin/apparmor_parser"); err == nil { + buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled") + return err == nil && len(buf) > 1 && buf[0] == 'Y' + } + } + return false +} + +func setprocattr(attr, value string) error { + // Under AppArmor you can only change your own attr, so use /proc/self/ + // instead of /proc/<tid>/ like libapparmor does + path := fmt.Sprintf("/proc/self/attr/%s", attr) + + f, err := os.OpenFile(path, os.O_WRONLY, 0) + if err != nil { + return err + } + defer f.Close() + + _, err = fmt.Fprintf(f, "%s", value) + return err +} + +// changeOnExec reimplements aa_change_onexec from libapparmor in Go +func changeOnExec(name string) error { + value := "exec " + name + if err := setprocattr("exec", value); err != nil { + return fmt.Errorf("apparmor failed to apply profile: %s", err) + } + return nil +} + +// ApplyProfile will apply the profile with the specified name to the process after +// the next exec. +func ApplyProfile(name string) error { + if name == "" { + return nil + } + + return changeOnExec(name) +} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_disabled.go b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_disabled.go new file mode 100644 index 000000000..d4110cf0b --- /dev/null +++ b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_disabled.go @@ -0,0 +1,20 @@ +// +build !apparmor !linux + +package apparmor + +import ( + "errors" +) + +var ErrApparmorNotEnabled = errors.New("apparmor: config provided but apparmor not supported") + +func IsEnabled() bool { + return false +} + +func ApplyProfile(name string) error { + if name != "" { + return ErrApparmorNotEnabled + } + return nil +} |