5 files changed, 0 insertions, 528 deletions
diff --git a/pkg/apparmor/apparmor.go b/pkg/apparmor/apparmor.go
deleted file mode 100644
index 8e17361cb..000000000
--- a/pkg/apparmor/apparmor.go
+++ /dev/null
@@ -1,19 +0,0 @@
-package apparmor
-
-import (
-	"errors"
-
-	"github.com/containers/common/pkg/config"
-	libpodVersion "github.com/containers/libpod/version"
-)
-
-var (
-	// DefaultLipodProfilePrefix is used for version-independent presence checks.
-	DefaultLipodProfilePrefix = config.DefaultApparmorProfile
-	// DefaultLibpodProfile is the name of default libpod AppArmor profile.
-	DefaultLibpodProfile = DefaultLipodProfilePrefix + "-" + libpodVersion.Version
-	// ErrApparmorUnsupported indicates that AppArmor support is not supported.
-	ErrApparmorUnsupported = errors.New("AppArmor is not supported")
-	// ErrApparmorRootless indicates that AppArmor support is not supported in rootless mode.
-	ErrApparmorRootless = errors.New("AppArmor is not supported in rootless mode")
-)
diff --git a/pkg/apparmor/apparmor_linux.go b/pkg/apparmor/apparmor_linux.go
deleted file mode 100644
index 33710ff56..000000000
--- a/pkg/apparmor/apparmor_linux.go
+++ /dev/null
@@ -1,289 +0,0 @@
-// +build linux,apparmor
-
-package apparmor
-
-import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"io"
-	"os"
-	"os/exec"
-	"path"
-	"strconv"
-	"strings"
-	"text/template"
-
-	"github.com/containers/libpod/pkg/rootless"
-	runcaa "github.com/opencontainers/runc/libcontainer/apparmor"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-)
-
-// profileDirectory is the file store for apparmor profiles and macros.
-var profileDirectory = "/etc/apparmor.d"
-
-// IsEnabled returns true if AppArmor is enabled on the host.
-func IsEnabled() bool {
-	if rootless.IsRootless() {
-		return false
-	}
-	return runcaa.IsEnabled()
-}
-
-// profileData holds information about the given profile for generation.
-type profileData struct {
-	// Name is profile name.
-	Name string
-	// Imports defines the apparmor functions to import, before defining the profile.
-	Imports []string
-	// InnerImports defines the apparmor functions to import in the profile.
-	InnerImports []string
-	// Version is the {major, minor, patch} version of apparmor_parser as a single number.
-	Version int
-}
-
-// generateDefault creates an apparmor profile from ProfileData.
-func (p *profileData) generateDefault(out io.Writer) error {
-	compiled, err := template.New("apparmor_profile").Parse(libpodProfileTemplate)
-	if err != nil {
-		return err
-	}
-
-	if macroExists("tunables/global") {
-		p.Imports = append(p.Imports, "#include <tunables/global>")
-	} else {
-		p.Imports = append(p.Imports, "@{PROC}=/proc/")
-	}
-
-	if macroExists("abstractions/base") {
-		p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")
-	}
-
-	ver, err := getAAParserVersion()
-	if err != nil {
-		return err
-	}
-	p.Version = ver
-
-	return compiled.Execute(out, p)
-}
-
-// macrosExists checks if the passed macro exists.
-func macroExists(m string) bool {
-	_, err := os.Stat(path.Join(profileDirectory, m))
-	return err == nil
-}
-
-// InstallDefault generates a default profile and loads it into the kernel
-// using 'apparmor_parser'.
-func InstallDefault(name string) error {
-	if rootless.IsRootless() {
-		return ErrApparmorRootless
-	}
-
-	p := profileData{
-		Name: name,
-	}
-
-	cmd := exec.Command("apparmor_parser", "-Kr")
-	pipe, err := cmd.StdinPipe()
-	if err != nil {
-		return err
-	}
-	if err := cmd.Start(); err != nil {
-		if pipeErr := pipe.Close(); pipeErr != nil {
-			logrus.Errorf("unable to close apparmor pipe: %q", pipeErr)
-		}
-		return err
-	}
-	if err := p.generateDefault(pipe); err != nil {
-		if pipeErr := pipe.Close(); pipeErr != nil {
-			logrus.Errorf("unable to close apparmor pipe: %q", pipeErr)
-		}
-		if cmdErr := cmd.Wait(); cmdErr != nil {
-			logrus.Errorf("unable to wait for apparmor command: %q", cmdErr)
-		}
-		return err
-	}
-
-	if pipeErr := pipe.Close(); pipeErr != nil {
-		logrus.Errorf("unable to close apparmor pipe: %q", pipeErr)
-	}
-	return cmd.Wait()
-}
-
-// DefaultContent returns the default profile content as byte slice. The
-// profile is named as the provided `name`. The function errors if the profile
-// generation fails.
-func DefaultContent(name string) ([]byte, error) {
-	p := profileData{Name: name}
-	var bytes bytes.Buffer
-	if err := p.generateDefault(&bytes); err != nil {
-		return nil, err
-	}
-	return bytes.Bytes(), nil
-}
-
-// IsLoaded checks if a profile with the given name has been loaded into the
-// kernel.
-func IsLoaded(name string) (bool, error) {
-	if name != "" && rootless.IsRootless() {
-		return false, errors.Wrapf(ErrApparmorRootless, "cannot load AppArmor profile %q", name)
-	}
-
-	file, err := os.Open("/sys/kernel/security/apparmor/profiles")
-	if err != nil {
-		if os.IsNotExist(err) {
-			return false, nil
-		}
-		return false, err
-	}
-	defer file.Close()
-
-	r := bufio.NewReader(file)
-	for {
-		p, err := r.ReadString('\n')
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return false, err
-		}
-		if strings.HasPrefix(p, name+" ") {
-			return true, nil
-		}
-	}
-
-	return false, nil
-}
-
-// execAAParser runs `apparmor_parser` with the passed arguments.
-func execAAParser(dir string, args ...string) (string, error) {
-	c := exec.Command("apparmor_parser", args...)
-	c.Dir = dir
-
-	output, err := c.CombinedOutput()
-	if err != nil {
-		return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err)
-	}
-
-	return string(output), nil
-}
-
-// getAAParserVersion returns the major and minor version of apparmor_parser.
-func getAAParserVersion() (int, error) {
-	output, err := execAAParser("", "--version")
-	if err != nil {
-		return -1, err
-	}
-	return parseAAParserVersion(output)
-}
-
-// parseAAParserVersion parses the given `apparmor_parser --version` output and
-// returns the major and minor version number as an integer.
-func parseAAParserVersion(output string) (int, error) {
-	// output is in the form of the following:
-	// AppArmor parser version 2.9.1
-	// Copyright (C) 1999-2008 Novell Inc.
-	// Copyright 2009-2012 Canonical Ltd.
-	lines := strings.SplitN(output, "\n", 2)
-	words := strings.Split(lines[0], " ")
-	version := words[len(words)-1]
-
-	// split by major minor version
-	v := strings.Split(version, ".")
-	if len(v) == 0 || len(v) > 3 {
-		return -1, fmt.Errorf("parsing version failed for output: `%s`", output)
-	}
-
-	// Default the versions to 0.
-	var majorVersion, minorVersion, patchLevel int
-
-	majorVersion, err := strconv.Atoi(v[0])
-	if err != nil {
-		return -1, err
-	}
-
-	if len(v) > 1 {
-		minorVersion, err = strconv.Atoi(v[1])
-		if err != nil {
-			return -1, err
-		}
-	}
-	if len(v) > 2 {
-		patchLevel, err = strconv.Atoi(v[2])
-		if err != nil {
-			return -1, err
-		}
-	}
-
-	// major*10^5 + minor*10^3 + patch*10^0
-	numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel
-	return numericVersion, nil
-
-}
-
-// CheckProfileAndLoadDefault checks if the specified profile is loaded and
-// loads the DefaultLibpodProfile if the specified on is prefixed by
-// DefaultLipodProfilePrefix.  This allows to always load and apply the latest
-// default AppArmor profile.  Note that AppArmor requires root.  If it's a
-// default profile, return DefaultLipodProfilePrefix, otherwise the specified
-// one.
-func CheckProfileAndLoadDefault(name string) (string, error) {
-	if name == "unconfined" {
-		return name, nil
-	}
-
-	// AppArmor is not supported in rootless mode as it requires root
-	// privileges.  Return an error in case a specific profile is specified.
-	if rootless.IsRootless() {
-		if name != "" {
-			return "", errors.Wrapf(ErrApparmorRootless, "cannot load AppArmor profile %q", name)
-		} else {
-			logrus.Debug("skipping loading default AppArmor profile (rootless mode)")
-			return "", nil
-		}
-	}
-
-	// Check if AppArmor is disabled and error out if a profile is to be set.
-	if !runcaa.IsEnabled() {
-		if name == "" {
-			return "", nil
-		} else {
-			return "", fmt.Errorf("profile %q specified but AppArmor is disabled on the host", name)
-		}
-	}
-
-	// If the specified name is not empty or is not a default libpod one,
-	// ignore it and return the name.
-	if name != "" && !strings.HasPrefix(name, DefaultLipodProfilePrefix) {
-		isLoaded, err := IsLoaded(name)
-		if err != nil {
-			return "", err
-		}
-		if !isLoaded {
-			return "", fmt.Errorf("AppArmor profile %q specified but not loaded", name)
-		}
-		return name, nil
-	}
-
-	name = DefaultLibpodProfile
-	// To avoid expensive redundant loads on each invocation, check
-	// if it's loaded before installing it.
-	isLoaded, err := IsLoaded(name)
-	if err != nil {
-		return "", err
-	}
-	if !isLoaded {
-		err = InstallDefault(name)
-		if err != nil {
-			return "", err
-		}
-		logrus.Infof("successfully loaded AppAmor profile %q", name)
-	} else {
-		logrus.Infof("AppAmor profile %q is already loaded", name)
-	}
-
-	return name, nil
-}
diff --git a/pkg/apparmor/apparmor_linux_template.go b/pkg/apparmor/apparmor_linux_template.go
deleted file mode 100644
index 8d9a92ef7..000000000
--- a/pkg/apparmor/apparmor_linux_template.go
+++ /dev/null
@@ -1,49 +0,0 @@
-// +build linux,apparmor
-
-package apparmor
-
-const libpodProfileTemplate = `
-{{range $value := .Imports}}
-{{$value}}
-{{end}}
-
-profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
-{{range $value := .InnerImports}}
-  {{$value}}
-{{end}}
-
-  network,
-  capability,
-  file,
-  umount,
-
-{{if ge .Version 208096}}
-  # Allow signals from privileged profiles and from within the same profile
-  signal (receive) peer=unconfined,
-  signal (send,receive) peer={{.Name}},
-{{end}}
-
-  deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
-  # deny write to files not in /proc/<number>/** or /proc/sys/**
-  deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
-  deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
-  deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
-  deny @{PROC}/sysrq-trigger rwklx,
-  deny @{PROC}/kcore rwklx,
-
-  deny mount,
-
-  deny /sys/[^f]*/** wklx,
-  deny /sys/f[^s]*/** wklx,
-  deny /sys/fs/[^c]*/** wklx,
-  deny /sys/fs/c[^g]*/** wklx,
-  deny /sys/fs/cg[^r]*/** wklx,
-  deny /sys/firmware/** rwklx,
-  deny /sys/kernel/security/** rwklx,
-
-{{if ge .Version 208095}}
-  # suppress ptrace denials when using using 'ps' inside a container
-  ptrace (trace,read) peer={{.Name}},
-{{end}}
-}
-`
diff --git a/pkg/apparmor/apparmor_linux_test.go b/pkg/apparmor/apparmor_linux_test.go
deleted file mode 100644
index 3ff6e18bc..000000000
--- a/pkg/apparmor/apparmor_linux_test.go
+++ /dev/null
@@ -1,140 +0,0 @@
-// +build linux,apparmor
-
-package apparmor
-
-import (
-	"os"
-	"testing"
-)
-
-type versionExpected struct {
-	output  string
-	version int
-}
-
-func TestParseAAParserVersion(t *testing.T) {
-	if !IsEnabled() {
-		t.Skip("AppArmor disabled: skipping tests")
-	}
-	versions := []versionExpected{
-		{
-			output: `AppArmor parser version 2.10
-Copyright (C) 1999-2008 Novell Inc.
-Copyright 2009-2012 Canonical Ltd.
-
-`,
-			version: 210000,
-		},
-		{
-			output: `AppArmor parser version 2.8
-Copyright (C) 1999-2008 Novell Inc.
-Copyright 2009-2012 Canonical Ltd.
-
-`,
-			version: 208000,
-		},
-		{
-			output: `AppArmor parser version 2.20
-Copyright (C) 1999-2008 Novell Inc.
-Copyright 2009-2012 Canonical Ltd.
-
-`,
-			version: 220000,
-		},
-		{
-			output: `AppArmor parser version 2.05
-Copyright (C) 1999-2008 Novell Inc.
-Copyright 2009-2012 Canonical Ltd.
-
-`,
-			version: 205000,
-		},
-		{
-			output: `AppArmor parser version 2.9.95
-Copyright (C) 1999-2008 Novell Inc.
-Copyright 2009-2012 Canonical Ltd.
-
-`,
-			version: 209095,
-		},
-		{
-			output: `AppArmor parser version 3.14.159
-Copyright (C) 1999-2008 Novell Inc.
-Copyright 2009-2012 Canonical Ltd.
-
-`,
-			version: 314159,
-		},
-	}
-
-	for _, v := range versions {
-		version, err := parseAAParserVersion(v.output)
-		if err != nil {
-			t.Fatalf("expected error to be nil for %#v, got: %v", v, err)
-		}
-		if version != v.version {
-			t.Fatalf("expected version to be %d, was %d, for: %#v\n", v.version, version, v)
-		}
-	}
-}
-
-const (
-	aapath  = "/sys/kernel/security/apparmor/"
-	profile = "libpod-default-testing"
-)
-
-func TestInstallDefault(t *testing.T) {
-	if _, err := os.Stat(aapath); err != nil {
-		t.Skip("AppArmor isn't available in this environment")
-	}
-
-	// removes `profile`
-	removeProfile := func() error {
-		path := aapath + ".remove"
-
-		f, err := os.OpenFile(path, os.O_APPEND|os.O_WRONLY, os.ModeAppend)
-		if err != nil {
-			return err
-		}
-		defer f.Close()
-
-		_, err = f.WriteString(profile)
-		return err
-	}
-
-	// makes sure `profile` is loaded according to `state`
-	checkLoaded := func(state bool) {
-		loaded, err := IsLoaded(profile)
-		if err != nil {
-			t.Fatalf("Error searching AppArmor profile '%s': %v", profile, err)
-		}
-		if state != loaded {
-			if state {
-				t.Fatalf("AppArmor profile '%s' isn't loaded but should", profile)
-			} else {
-				t.Fatalf("AppArmor profile '%s' is loaded but shouldn't", profile)
-			}
-		}
-	}
-
-	// test installing the profile
-	if err := InstallDefault(profile); err != nil {
-		t.Fatalf("Couldn't install AppArmor profile '%s': %v", profile, err)
-	}
-	checkLoaded(true)
-
-	// remove the profile and check again
-	if err := removeProfile(); err != nil {
-		t.Fatalf("Couldn't remove AppArmor profile '%s': %v", profile, err)
-	}
-	checkLoaded(false)
-}
-
-func TestDefaultContent(t *testing.T) {
-	if _, err := os.Stat(aapath); err != nil {
-		t.Skip("AppArmor isn't available in this environment")
-	}
-	if _, err := DefaultContent(profile); err != nil {
-		t.Fatalf("Couldn't retrieve default AppArmor profile content '%s': %v", profile, err)
-	}
-}
diff --git a/pkg/apparmor/apparmor_unsupported.go b/pkg/apparmor/apparmor_unsupported.go
deleted file mode 100644
index 13469f1b6..000000000
--- a/pkg/apparmor/apparmor_unsupported.go
+++ /dev/null
@@ -1,31 +0,0 @@
-// +build !linux !apparmor
-
-package apparmor
-
-// IsEnabled dummy.
-func IsEnabled() bool {
-	return false
-}
-
-// InstallDefault dummy.
-func InstallDefault(name string) error {
-	return ErrApparmorUnsupported
-}
-
-// IsLoaded dummy.
-func IsLoaded(name string) (bool, error) {
-	return false, ErrApparmorUnsupported
-}
-
-// CheckProfileAndLoadDefault dummy.
-func CheckProfileAndLoadDefault(name string) (string, error) {
-	if name == "" {
-		return "", nil
-	}
-	return "", ErrApparmorUnsupported
-}
-
-// DefaultContent dummy.
-func DefaultContent(name string) ([]byte, error) {
-	return nil, nil
-}