Merge pull request #1464 from mikebrow/test-apparmor-profile

move up to latest critools; add apparmor profile check
2020-04-27 11:16:28 +08:00 · 2020-04-27 11:16:28 +08:00 · 197dca5a35
commit 197dca5a35
parent 14c4b47bb1 776c125e4f
3 changed files with 45 additions and 7 deletions
--- a/hack/utils.sh
+++ b/hack/utils.sh
@ -17,7 +17,7 @@
 ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/..

 # Not from vendor.conf.
-CRITOOL_VERSION=v1.16.1
+CRITOOL_VERSION=v1.18.0
 CRITOOL_PKG=github.com/kubernetes-sigs/cri-tools
 CRITOOL_REPO=github.com/kubernetes-sigs/cri-tools

--- a/pkg/server/container_create_unix.go
+++ b/pkg/server/container_create_unix.go
@ -19,6 +19,9 @@
 package server

 import (
+	"bufio"
+	"io"
+	"os"
 	"strconv"
 	"strings"

@ -353,7 +356,41 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 		if !strings.HasPrefix(apparmorProf, profileNamePrefix) {
 			return nil, errors.Errorf("invalid apparmor profile %q", apparmorProf)
 		}
-		return apparmor.WithProfile(strings.TrimPrefix(apparmorProf, profileNamePrefix)), nil
+		appArmorProfile := strings.TrimPrefix(apparmorProf, profileNamePrefix)
+		if profileExists, err := appArmorProfileExists(appArmorProfile); !profileExists {
+			if err != nil {
+				return nil, errors.Wrap(err, "failed to generate apparmor spec opts")
+			}
+			return nil, errors.Errorf("apparmor profile not found %s", appArmorProfile)
+		}
+		return apparmor.WithProfile(appArmorProfile), nil
+	}
+}
+
+// appArmorProfileExists scans apparmor/profiles for the requested profile
+func appArmorProfileExists(profile string) (bool, error) {
+	if profile == "" {
+		return false, errors.New("nil apparmor profile is not supported")
+	}
+	profiles, err := os.Open("/sys/kernel/security/apparmor/profiles")
+	if err != nil {
+		return false, err
+	}
+	defer profiles.Close()
+
+	rbuff := bufio.NewReader(profiles)
+	for {
+		line, err := rbuff.ReadString('\n')
+		switch err {
+		case nil:
+			if strings.HasPrefix(line, profile+" (") {
+				return true, nil
+			}
+		case io.EOF:
+			return false, nil
+		default:
+			return false, err
+		}
 	}
 }

--- a/pkg/server/container_create_unix_test.go
+++ b/pkg/server/container_create_unix_test.go
@ -882,14 +882,15 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
 			profile:    runtimeDefault,
 			privileged: true,
 		},
-		"should set specified profile when local profile is specified": {
-			profile:  profileNamePrefix + "test-profile",
-			specOpts: apparmor.WithProfile("test-profile"),
+		// TODO (mikebrow) add success with exising defined profile tests
+		"should return error when undefined local profile is specified": {
+			profile:   profileNamePrefix + "test-profile",
+			expectErr: true,
 		},
-		"should set apparmor when local profile is specified and privileged is true": {
+		"should return error when undefined local profile is specified and privileged is true": {
 			profile:    profileNamePrefix + "test-profile",
 			privileged: true,
-			specOpts:   apparmor.WithProfile("test-profile"),
+			expectErr:  true,
 		},
 		"should return error if specified profile is invalid": {
 			profile:   "test-profile",