add apparmor build tag and update readme
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
This commit is contained in:
Xianglin Gao
parent
bec3c3e2aa
commit
4f323377ee
10 changed files with 235 additions and 64 deletions
|
|
@ -1,3 +1,5 @@
|
|||
// +build apparmor
|
||||
|
||||
package apparmor
|
||||
|
||||
import (
|
||||
|
|
@ -35,7 +37,7 @@ func cmd(dir string, arg ...string) (string, error) {
|
|||
|
||||
output, err := c.CombinedOutput()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), string(output), err)
|
||||
return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err)
|
||||
}
|
||||
|
||||
return string(output), nil
|
||||
|
|
|
|||
|
|
@ -1,3 +1,5 @@
|
|||
// +build apparmor
|
||||
|
||||
package apparmor
|
||||
|
||||
import (
|
||||
|
|
@ -7,6 +9,7 @@ import (
|
|||
"os"
|
||||
"path"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/Sirupsen/logrus"
|
||||
"github.com/docker/docker/utils/templates"
|
||||
|
|
@ -27,6 +30,9 @@ const (
|
|||
ProfileRuntimeDefault = "runtime/default"
|
||||
// ProfileNamePrefix is the prefix for specifying profiles loaded on the node.
|
||||
ProfileNamePrefix = "localhost/"
|
||||
|
||||
// readConfigTimeout is the timeout of reading apparmor profiles.
|
||||
readConfigTimeout = 10
|
||||
)
|
||||
|
||||
// profileData holds information about the given profile for generation.
|
||||
|
|
@ -46,7 +52,7 @@ func InstallDefaultAppArmorProfile() {
|
|||
if err := InstallDefault(defaultApparmorProfile); err != nil {
|
||||
// Allow daemon to run if loading failed, but are active
|
||||
// (possibly through another run, manually, or via system startup)
|
||||
if err := IsLoaded(defaultApparmorProfile); err != nil {
|
||||
if !IsLoaded(defaultApparmorProfile) {
|
||||
logrus.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", defaultApparmorProfile)
|
||||
}
|
||||
}
|
||||
|
|
@ -75,38 +81,43 @@ func InstallDefault(name string) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
profilePath := f.Name()
|
||||
|
||||
defer f.Close()
|
||||
|
||||
if err := p.generateDefault(f); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := LoadProfile(profilePath); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
return LoadProfile(f.Name())
|
||||
}
|
||||
|
||||
// IsLoaded checks if a passed profile has been loaded into the kernel.
|
||||
func IsLoaded(name string) error {
|
||||
func IsLoaded(name string) bool {
|
||||
file, err := os.Open("/sys/kernel/security/apparmor/profiles")
|
||||
if err != nil {
|
||||
return err
|
||||
return false
|
||||
}
|
||||
defer file.Close()
|
||||
|
||||
r := bufio.NewReader(file)
|
||||
for {
|
||||
p, err := r.ReadString('\n')
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if strings.HasPrefix(p, name+" ") {
|
||||
return nil
|
||||
ch := make(chan bool, 1)
|
||||
|
||||
go func() {
|
||||
r := bufio.NewReader(file)
|
||||
for {
|
||||
p, err := r.ReadString('\n')
|
||||
if err != nil {
|
||||
ch <- false
|
||||
}
|
||||
if strings.HasPrefix(p, name+" ") {
|
||||
ch <- true
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
select {
|
||||
case <-time.After(time.Duration(readConfigTimeout) * time.Second):
|
||||
return false
|
||||
case enabled := <-ch:
|
||||
return enabled
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -133,10 +144,7 @@ func (p *profileData) generateDefault(out io.Writer) error {
|
|||
}
|
||||
p.Version = ver
|
||||
|
||||
if err := compiled.Execute(out, p); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
return compiled.Execute(out, p)
|
||||
}
|
||||
|
||||
// macrosExists checks if the passed macro exists.
|
||||
|
|
|
|||
27
server/apparmor/apparmor_unsupported.go
Normal file
27
server/apparmor/apparmor_unsupported.go
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
// +build !apparmor
|
||||
|
||||
package apparmor
|
||||
|
||||
const (
|
||||
// ContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container profile.
|
||||
ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
|
||||
|
||||
// ProfileRuntimeDefault is he profile specifying the runtime default.
|
||||
ProfileRuntimeDefault = "runtime/default"
|
||||
// ProfileNamePrefix is the prefix for specifying profiles loaded on the node.
|
||||
ProfileNamePrefix = "localhost/"
|
||||
)
|
||||
|
||||
// IsEnabled returns false, when build without apparmor build tag.
|
||||
func IsEnabled() bool {
|
||||
return false
|
||||
}
|
||||
|
||||
// InstallDefaultAppArmorProfile dose nothing, when build without apparmor build tag.
|
||||
func InstallDefaultAppArmorProfile() {
|
||||
}
|
||||
|
||||
// GetProfileNameFromPodAnnotations dose nothing, when build without apparmor build tag.
|
||||
func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
|
||||
return ""
|
||||
}
|
||||
|
|
@ -1,3 +1,5 @@
|
|||
// +build apparmor
|
||||
|
||||
package apparmor
|
||||
|
||||
// baseTemplate defines the default apparmor profile for containers.
|
||||
|
|
|
|||
|
|
@ -397,6 +397,5 @@ func (s *Server) getAppArmorProfileName(annotations map[string]string, ctrName s
|
|||
return s.appArmorProfile
|
||||
}
|
||||
|
||||
profileName := strings.TrimPrefix(profile, apparmor.ProfileNamePrefix)
|
||||
return profileName
|
||||
return strings.TrimPrefix(profile, apparmor.ProfileNamePrefix)
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue