// +build linux,apparmor package apparmor import ( "bufio" "fmt" "io" "io/ioutil" "os" "os/exec" "path" "strconv" "strings" "text/template" runcaa "github.com/opencontainers/runc/libcontainer/apparmor" ) // IsEnabled returns true if AppArmor is enabled on the host. func IsEnabled() bool { return runcaa.IsEnabled() } // profileData holds information about the given profile for generation. type profileData struct { // Name is profile name. Name string // Imports defines the apparmor functions to import, before defining the profile. Imports []string // InnerImports defines the apparmor functions to import in the profile. InnerImports []string // Version is the {major, minor, patch} version of apparmor_parser as a single number. Version int } // generateDefault creates an apparmor profile from ProfileData. func (p *profileData) generateDefault(out io.Writer) error { compiled, err := template.New("apparmor_profile").Parse(libpodProfileTemplate) if err != nil { return err } if macroExists("tunables/global") { p.Imports = append(p.Imports, "#include ") } else { p.Imports = append(p.Imports, "@{PROC}=/proc/") } if macroExists("abstractions/base") { p.InnerImports = append(p.InnerImports, "#include ") } ver, err := getAAParserVersion() if err != nil { return err } p.Version = ver return compiled.Execute(out, p) } // macrosExists checks if the passed macro exists. func macroExists(m string) bool { _, err := os.Stat(path.Join(profileDirectory, m)) return err == nil } // InstallDefault generates a default profile in a temp directory determined by // os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'. func InstallDefault(name string) error { p := profileData{ Name: name, } // Install to a temporary directory. f, err := ioutil.TempFile("", name) if err != nil { return err } profilePath := f.Name() defer f.Close() defer os.Remove(profilePath) if err := p.generateDefault(f); err != nil { return err } return loadProfile(profilePath) } // IsLoaded checks if a profile with the given name has been loaded into the // kernel. func IsLoaded(name string) (bool, error) { file, err := os.Open("/sys/kernel/security/apparmor/profiles") if err != nil { if os.IsNotExist(err) { return false, nil } return false, err } defer file.Close() r := bufio.NewReader(file) for { p, err := r.ReadString('\n') if err == io.EOF { break } if err != nil { return false, err } if strings.HasPrefix(p, name+" ") { return true, nil } } return false, nil } // execAAParser runs `apparmor_parser` with the passed arguments. func execAAParser(dir string, args ...string) (string, error) { c := exec.Command("apparmor_parser", args...) c.Dir = dir output, err := c.CombinedOutput() if err != nil { return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err) } return string(output), nil } // loadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to // replace the profile. The `-K` is necessary to make sure that apparmor_parser // doesn't try to write to a read-only filesystem. func loadProfile(profilePath string) error { _, err := execAAParser("", "-Kr", profilePath) return err } // getAAParserVersion returns the major and minor version of apparmor_parser. func getAAParserVersion() (int, error) { output, err := execAAParser("", "--version") if err != nil { return -1, err } return parseAAParserVersion(output) } // parseAAParserVersion parses the given `apparmor_parser --version` output and // returns the major and minor version number as an integer. func parseAAParserVersion(output string) (int, error) { // output is in the form of the following: // AppArmor parser version 2.9.1 // Copyright (C) 1999-2008 Novell Inc. // Copyright 2009-2012 Canonical Ltd. lines := strings.SplitN(output, "\n", 2) words := strings.Split(lines[0], " ") version := words[len(words)-1] // split by major minor version v := strings.Split(version, ".") if len(v) == 0 || len(v) > 3 { return -1, fmt.Errorf("parsing version failed for output: `%s`", output) } // Default the versions to 0. var majorVersion, minorVersion, patchLevel int majorVersion, err := strconv.Atoi(v[0]) if err != nil { return -1, err } if len(v) > 1 { minorVersion, err = strconv.Atoi(v[1]) if err != nil { return -1, err } } if len(v) > 2 { patchLevel, err = strconv.Atoi(v[2]) if err != nil { return -1, err } } // major*10^5 + minor*10^3 + patch*10^0 numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel return numericVersion, nil }