Merge pull request #239 from xlgao-zju/reload-apparmor-profile

reload default apparmor profile if it is unloaded
This commit is contained in:
Antonio Murdaca 2016-12-13 11:10:26 +01:00 committed by GitHub
commit 4bb0830c37
9 changed files with 142 additions and 96 deletions

View file

@ -0,0 +1,14 @@
package apparmor
const (
// DefaultApparmorProfile is the name of default apparmor profile name.
DefaultApparmorProfile = "ocid-default"
// ContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container profile.
ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
// ProfileRuntimeDefault is he profile specifying the runtime default.
ProfileRuntimeDefault = "runtime/default"
// ProfileNamePrefix is the prefix for specifying profiles loaded on the node.
ProfileNamePrefix = "localhost/"
)

View file

@ -4,35 +4,20 @@ package apparmor
import (
"bufio"
"fmt"
"io"
"io/ioutil"
"os"
"path"
"strings"
"time"
"github.com/Sirupsen/logrus"
"github.com/docker/docker/utils/templates"
"github.com/opencontainers/runc/libcontainer/apparmor"
)
const (
// defaultApparmorProfile is the name of default apparmor profile name.
defaultApparmorProfile = "ocid-default"
// profileDirectory is the file store for apparmor profiles and macros.
profileDirectory = "/etc/apparmor.d"
// ContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container profile.
ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
// ProfileRuntimeDefault is he profile specifying the runtime default.
ProfileRuntimeDefault = "runtime/default"
// ProfileNamePrefix is the prefix for specifying profiles loaded on the node.
ProfileNamePrefix = "localhost/"
// readConfigTimeout is the timeout of reading apparmor profiles.
readConfigTimeout = 10
)
// profileData holds information about the given profile for generation.
@ -47,15 +32,26 @@ type profileData struct {
Version int
}
// InstallDefaultAppArmorProfile installs default apparmor profile.
func InstallDefaultAppArmorProfile() {
if err := InstallDefault(defaultApparmorProfile); err != nil {
// Allow daemon to run if loading failed, but are active
// (possibly through another run, manually, or via system startup)
if !IsLoaded(defaultApparmorProfile) {
logrus.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", defaultApparmorProfile)
// EnsureDefaultApparmorProfile loads default apparmor profile, if it is not loaded.
func EnsureDefaultApparmorProfile() error {
if apparmor.IsEnabled() {
loaded, err := IsLoaded(DefaultApparmorProfile)
if err != nil {
return fmt.Errorf("Could not check if %s AppArmor profile was loaded: %s", DefaultApparmorProfile, err)
}
// Nothing to do.
if loaded {
return nil
}
// Load the profile.
if err := InstallDefault(DefaultApparmorProfile); err != nil {
return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", DefaultApparmorProfile)
}
}
return nil
}
// IsEnabled returns true if apparmor is enabled for the host.
@ -90,35 +86,30 @@ func InstallDefault(name string) error {
return LoadProfile(f.Name())
}
// IsLoaded checks if a passed profile has been loaded into the kernel.
func IsLoaded(name string) bool {
// IsLoaded checks if a profile with the given name has been loaded into the
// kernel.
func IsLoaded(name string) (bool, error) {
file, err := os.Open("/sys/kernel/security/apparmor/profiles")
if err != nil {
return false
return false, err
}
defer file.Close()
ch := make(chan bool, 1)
go func() {
r := bufio.NewReader(file)
for {
p, err := r.ReadString('\n')
if err != nil {
ch <- false
}
if strings.HasPrefix(p, name+" ") {
ch <- true
}
r := bufio.NewReader(file)
for {
p, err := r.ReadString('\n')
if err == io.EOF {
break
}
if err != nil {
return false, err
}
if strings.HasPrefix(p, name+" ") {
return true, nil
}
}()
select {
case <-time.After(time.Duration(readConfigTimeout) * time.Second):
return false
case enabled := <-ch:
return enabled
}
return false, nil
}
// generateDefault creates an apparmor profile from ProfileData.

View file

@ -2,23 +2,14 @@
package apparmor
const (
// ContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container profile.
ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
// ProfileRuntimeDefault is he profile specifying the runtime default.
ProfileRuntimeDefault = "runtime/default"
// ProfileNamePrefix is the prefix for specifying profiles loaded on the node.
ProfileNamePrefix = "localhost/"
)
// IsEnabled returns false, when build without apparmor build tag.
func IsEnabled() bool {
return false
}
// InstallDefaultAppArmorProfile dose nothing, when build without apparmor build tag.
func InstallDefaultAppArmorProfile() {
// EnsureDefaultApparmorProfile dose nothing, when build without apparmor build tag.
func EnsureDefaultApparmorProfile() error {
return nil
}
// GetProfileNameFromPodAnnotations dose nothing, when build without apparmor build tag.

View file

@ -188,6 +188,13 @@ func (s *Server) createSandboxContainer(containerID string, containerName string
if s.appArmorEnabled {
appArmorProfileName := s.getAppArmorProfileName(sb.annotations, metadata.GetName())
if appArmorProfileName != "" {
// reload default apparmor profile if it is unloaded.
if s.appArmorProfile == apparmor.DefaultApparmorProfile {
if err := apparmor.EnsureDefaultApparmorProfile(); err != nil {
return nil, err
}
}
specgen.SetProcessApparmorProfile(appArmorProfileName)
}
}

View file

@ -333,6 +333,7 @@ func New(config *Config) (*Server, error) {
},
seccompEnabled: seccompEnabled(),
appArmorEnabled: apparmor.IsEnabled(),
appArmorProfile: config.ApparmorProfile,
}
seccompProfile, err := ioutil.ReadFile(config.SeccompProfile)
if err != nil {
@ -344,10 +345,11 @@ func New(config *Config) (*Server, error) {
}
s.seccompProfile = seccompConfig
if s.appArmorEnabled {
apparmor.InstallDefaultAppArmorProfile()
if s.appArmorEnabled && s.appArmorProfile == apparmor.DefaultApparmorProfile {
if err := apparmor.EnsureDefaultApparmorProfile(); err != nil {
return nil, fmt.Errorf("ensuring the default apparmor profile is installed failed: %v", err)
}
}
s.appArmorProfile = config.ApparmorProfile
s.podIDIndex = truncindex.NewTruncIndex([]string{})
s.podNameIndex = registrar.NewRegistrar()

View file

@ -15,8 +15,8 @@ function teardown() {
fi
# this test requires apparmor, so skip this test if apparmor is not enabled.
enabled=is_apparmor_enabled
if [[ "$enabled" = "0" ]]; then
enabled=$(is_apparmor_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since apparmor is not enabled."
fi
@ -52,12 +52,12 @@ function teardown() {
fi
# this test requires apparmor, so skip this test if apparmor is not enabled.
enabled=is_apparmor_enabled
if [[ "$enabled" -eq "0" ]]; then
enabled=$(is_apparmor_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since apparmor is not enabled."
fi
load_apparmor_test_profile
load_apparmor_profile "$APPARMOR_TEST_PROFILE_PATH"
start_ocid "" "$APPARMOR_TEST_PROFILE_NAME"
sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname2": "apparmor-test-deny-write"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor2.json
@ -79,7 +79,7 @@ function teardown() {
cleanup_ctrs
cleanup_pods
stop_ocid
remove_apparmor_test_profile
remove_apparmor_profile "$APPARMOR_TEST_PROFILE_PATH"
}
# 3. test running with loading a specific apparmor profile but not as ocid default apparmor profile.
@ -91,12 +91,12 @@ function teardown() {
fi
# this test requires apparmor, so skip this test if apparmor is not enabled.
enabled=is_apparmor_enabled
if [[ "$enabled" -eq "0" ]]; then
enabled=$(is_apparmor_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since apparmor is not enabled."
fi
load_apparmor_test_profile
load_apparmor_profile "$APPARMOR_TEST_PROFILE_PATH"
start_ocid
sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname3": "apparmor-test-deny-write"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor3.json
@ -118,7 +118,7 @@ function teardown() {
cleanup_ctrs
cleanup_pods
stop_ocid
remove_apparmor_test_profile
remove_apparmor_profile "$APPARMOR_TEST_PROFILE_PATH"
}
# 4. test running with wrong apparmor profile name.
@ -130,8 +130,8 @@ function teardown() {
fi
# this test requires apparmor, so skip this test if apparmor is not enabled.
enabled=is_apparmor_enabled
if [[ "$enabled" -eq "0" ]]; then
enabled=$(is_apparmor_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since apparmor is not enabled."
fi
@ -149,6 +149,44 @@ function teardown() {
[[ "$output" =~ "Creating container failed" ]]
cleanup_ctrs
cleanup_pods
stop_ocid
}
# 5. test running with default apparmor profile unloaded.
# test that we can will fail when running a ctr with rong apparmor profile name.
@test "run a container after unloading default apparmor profile" {
# this test requires docker, thus it can't yet be run in a container
if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here
skip "cannot yet run this test in a container, use sudo make localintegration"
fi
# this test requires apparmor, so skip this test if apparmor is not enabled.
enabled=$(is_apparmor_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since apparmor is not enabled."
fi
start_ocid
remove_apparmor_profile "$FAKE_OCID_DEFAULT_PROFILE_PATH"
sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname5": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor5.json
run ocic pod create --name apparmor5 --config "$TESTDIR"/apparmor5.json
echo "$output"
[ "$status" -eq 0 ]
pod_id="$output"
run ocic ctr create --name testname5 --config "$TESTDATA"/container_redis.json --pod "$pod_id"
echo "$output"
[ "$status" -eq 0 ]
ctr_id="$output"
[ "$status" -eq 0 ]
run ocic ctr execsync --id "$ctr_id" touch test.txt
echo "$output"
[ "$status" -eq 0 ]
cleanup_ctrs
cleanup_pods
stop_ocid

View file

@ -28,6 +28,8 @@ RUNC_BINARY=${RUNC_PATH:-/usr/local/sbin/runc}
APPARMOR_PARSER_BINARY=${APPARMOR_PARSER_BINARY:-/sbin/apparmor_parser}
# Path of the apparmor profile for test.
APPARMOR_TEST_PROFILE_PATH=${APPARMOR_TEST_PROFILE_PATH:-${TESTDATA}/apparmor_test_deny_write}
# Path of the apparmor profile for unloading ocid-default.
FAKE_OCID_DEFAULT_PROFILE_PATH=${FAKE_OCID_DEFAULT_PROFILE_PATH:-${TESTDATA}/fake_ocid_default}
# Name of the apparmor profile for test.
APPARMOR_TEST_PROFILE_NAME=${APPARMOR_TEST_PROFILE_NAME:-apparmor-test-deny-write}
# Path of boot config.
@ -158,12 +160,12 @@ function cleanup_test() {
}
function load_apparmor_test_profile() {
"$APPARMOR_PARSER_BINARY" -r "$APPARMOR_TEST_PROFILE_PATH"
function load_apparmor_profile() {
"$APPARMOR_PARSER_BINARY" -r "$1"
}
function remove_apparmor_test_profile() {
"$APPARMOR_PARSER_BINARY" -R "$APPARMOR_TEST_PROFILE_PATH"
function remove_apparmor_profile() {
"$APPARMOR_PARSER_BINARY" -R "$1"
}
function is_seccomp_enabled() {

View file

@ -15,8 +15,8 @@ function teardown() {
fi
# this test requires seccomp, so skip this test if seccomp is not enabled.
enabled=is_seccomp_enabled
if [[ "$enabled" =~ "0" ]]; then
enabled=$(is_seccomp_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since seccomp is not enabled."
fi
@ -56,8 +56,8 @@ function teardown() {
fi
# this test requires seccomp, so skip this test if seccomp is not enabled.
enabled=is_seccomp_enabled
if [[ "$enabled" =~ "0" ]]; then
enabled=$(is_seccomp_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since seccomp is not enabled."
fi
@ -97,8 +97,8 @@ function teardown() {
fi
# this test requires seccomp, so skip this test if seccomp is not enabled.
enabled=is_seccomp_enabled
if [[ "$enabled" =~ "0" ]]; then
enabled=$(is_seccomp_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since seccomp is not enabled."
fi
@ -133,8 +133,8 @@ function teardown() {
fi
# this test requires seccomp, so skip this test if seccomp is not enabled.
enabled=is_seccomp_enabled
if [[ "$enabled" =~ "0" ]]; then
enabled=$(is_seccomp_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since seccomp is not enabled."
fi
@ -158,8 +158,8 @@ function teardown() {
fi
# this test requires seccomp, so skip this test if seccomp is not enabled.
enabled=is_seccomp_enabled
if [[ "$enabled" =~ "0" ]]; then
enabled=$(is_seccomp_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since seccomp is not enabled."
fi
@ -202,8 +202,8 @@ function teardown() {
fi
# this test requires seccomp, so skip this test if seccomp is not enabled.
enabled=is_seccomp_enabled
if [[ "$enabled" =~ "0" ]]; then
enabled=$(is_seccomp_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since seccomp is not enabled."
fi
@ -243,8 +243,8 @@ function teardown() {
fi
# this test requires seccomp, so skip this test if seccomp is not enabled.
enabled=is_seccomp_enabled
if [[ "$enabled" =~ "0" ]]; then
enabled=$(is_seccomp_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since seccomp is not enabled."
fi
@ -284,8 +284,8 @@ function teardown() {
fi
# this test requires seccomp, so skip this test if seccomp is not enabled.
enabled=is_seccomp_enabled
if [[ "$enabled" =~ "0" ]]; then
enabled=$(is_seccomp_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since seccomp is not enabled."
fi
@ -325,8 +325,8 @@ function teardown() {
fi
# this test requires seccomp, so skip this test if seccomp is not enabled.
enabled=is_seccomp_enabled
if [[ "$enabled" =~ "0" ]]; then
enabled=$(is_seccomp_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since seccomp is not enabled."
fi
@ -362,8 +362,8 @@ function teardown() {
fi
# this test requires seccomp, so skip this test if seccomp is not enabled.
enabled=is_seccomp_enabled
if [[ "$enabled" =~ "0" ]]; then
enabled=$(is_seccomp_enabled)
if [[ "$enabled" -eq 0 ]]; then
skip "skip this test since seccomp is not enabled."
fi

1
test/testdata/fake_ocid_default vendored Normal file
View file

@ -0,0 +1 @@
profile ocid-default flags=(attach_disconnected) {}