jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

libcontainer: remove dependency on libapparmor 

libapparmor is integrated in libcontainer using cgo but is only used to
call a single function: aa_change_onexec. It turns out this function is
simple enough (writing a string to a file in /proc/<n>/attr/...) to be
re-implemented locally in libcontainer in plain Go.

This allows to drop the dependency on libapparmor and the corresponding
cgo integration.

Fixes #1674

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
This commit is contained in:
Tobias Klauser 2017-12-11 11:19:13 +01:00
parent bdee9adedc
commit db093f621f
3 changed files with 28 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -23,7 +23,7 @@ env:
before_install: before_install:
- echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list - echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
- sudo apt-get -qq update - sudo apt-get -qq update
- sudo apt-get install -y libapparmor-dev libseccomp-dev/trusty-backports - sudo apt-get install -y libseccomp-dev/trusty-backports
- go get -u github.com/golang/lint/golint - go get -u github.com/golang/lint/golint
- go get -u github.com/vbatts/git-validation - go get -u github.com/vbatts/git-validation
- env | grep TRAVIS_ - env | grep TRAVIS_

2
README.md
View File

@ -56,7 +56,7 @@ make BUILDTAGS='seccomp apparmor'
|-----------|------------------------------------|-------------| |-----------|------------------------------------|-------------|
| seccomp | Syscall filtering | libseccomp | | seccomp | Syscall filtering | libseccomp |
| selinux | selinux process and mount labeling | <none> | | selinux | selinux process and mount labeling | <none> |
| apparmor | apparmor profile support | libapparmor | | apparmor | apparmor profile support | <none> |
| ambient | ambient capability support | kernel 4.3 | | ambient | ambient capability support | kernel 4.3 |

37
libcontainer/apparmor/apparmor.go
View File

@ -2,15 +2,10 @@
package apparmor package apparmor
// #cgo LDFLAGS: -lapparmor
// #include <sys/apparmor.h>
// #include <stdlib.h>
import "C"
import ( import (
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"os" "os"
"unsafe"
) )
// IsEnabled returns true if apparmor is enabled for the host. // IsEnabled returns true if apparmor is enabled for the host.
@ -24,16 +19,36 @@ func IsEnabled() bool {
return false return false
} }
func setprocattr(attr, value string) error {
// Under AppArmor you can only change your own attr, so use /proc/self/
// instead of /proc/<tid>/ like libapparmor does
path := fmt.Sprintf("/proc/self/attr/%s", attr)
f, err := os.OpenFile(path, os.O_WRONLY, 0)
if err != nil {
return err
}
defer f.Close()
_, err = fmt.Fprintf(f, "%s", value)
return err
}
// changeOnExec reimplements aa_change_onexec from libapparmor in Go
func changeOnExec(name string) error {
value := "exec " + name
if err := setprocattr("exec", value); err != nil {
return fmt.Errorf("apparmor failed to apply profile: %s", err)
}
return nil
}
// ApplyProfile will apply the profile with the specified name to the process after // ApplyProfile will apply the profile with the specified name to the process after
// the next exec. // the next exec.
func ApplyProfile(name string) error { func ApplyProfile(name string) error {
if name == "" { if name == "" {
return nil return nil
} }
cName := C.CString(name)
defer C.free(unsafe.Pointer(cName)) return changeOnExec(name)
if _, err := C.aa_change_onexec(cName); err != nil {
return fmt.Errorf("apparmor failed to apply profile: %s", err)
}
return nil
} }