From 776c125e4f9dccb6b7f1a0f6273b1b3c7965ded1 Mon Sep 17 00:00:00 2001 From: Mike Brown Date: Sun, 26 Apr 2020 15:46:32 -0500 Subject: [PATCH] move up to latest critools; add apparmor profile check Signed-off-by: Mike Brown --- hack/utils.sh | 2 +- pkg/server/container_create_unix.go | 39 +++++++++++++++++++++++- pkg/server/container_create_unix_test.go | 11 ++++--- 3 files changed, 45 insertions(+), 7 deletions(-) diff --git a/hack/utils.sh b/hack/utils.sh index 022ef0a42..8c8612d3c 100755 --- a/hack/utils.sh +++ b/hack/utils.sh @@ -17,7 +17,7 @@ ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/.. # Not from vendor.conf. -CRITOOL_VERSION=v1.16.1 +CRITOOL_VERSION=v1.18.0 CRITOOL_PKG=github.com/kubernetes-sigs/cri-tools CRITOOL_REPO=github.com/kubernetes-sigs/cri-tools diff --git a/pkg/server/container_create_unix.go b/pkg/server/container_create_unix.go index 129d7fb9a..6093453cd 100644 --- a/pkg/server/container_create_unix.go +++ b/pkg/server/container_create_unix.go @@ -19,6 +19,9 @@ package server import ( + "bufio" + "io" + "os" "strconv" "strings" @@ -353,7 +356,41 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b if !strings.HasPrefix(apparmorProf, profileNamePrefix) { return nil, errors.Errorf("invalid apparmor profile %q", apparmorProf) } - return apparmor.WithProfile(strings.TrimPrefix(apparmorProf, profileNamePrefix)), nil + appArmorProfile := strings.TrimPrefix(apparmorProf, profileNamePrefix) + if profileExists, err := appArmorProfileExists(appArmorProfile); !profileExists { + if err != nil { + return nil, errors.Wrap(err, "failed to generate apparmor spec opts") + } + return nil, errors.Errorf("apparmor profile not found %s", appArmorProfile) + } + return apparmor.WithProfile(appArmorProfile), nil + } +} + +// appArmorProfileExists scans apparmor/profiles for the requested profile +func appArmorProfileExists(profile string) (bool, error) { + if profile == "" { + return false, errors.New("nil apparmor profile is not supported") + } + profiles, err := os.Open("/sys/kernel/security/apparmor/profiles") + if err != nil { + return false, err + } + defer profiles.Close() + + rbuff := bufio.NewReader(profiles) + for { + line, err := rbuff.ReadString('\n') + switch err { + case nil: + if strings.HasPrefix(line, profile+" (") { + return true, nil + } + case io.EOF: + return false, nil + default: + return false, err + } } } diff --git a/pkg/server/container_create_unix_test.go b/pkg/server/container_create_unix_test.go index 0cea009ec..4b54ae49c 100644 --- a/pkg/server/container_create_unix_test.go +++ b/pkg/server/container_create_unix_test.go @@ -882,14 +882,15 @@ func TestGenerateApparmorSpecOpts(t *testing.T) { profile: runtimeDefault, privileged: true, }, - "should set specified profile when local profile is specified": { - profile: profileNamePrefix + "test-profile", - specOpts: apparmor.WithProfile("test-profile"), + // TODO (mikebrow) add success with exising defined profile tests + "should return error when undefined local profile is specified": { + profile: profileNamePrefix + "test-profile", + expectErr: true, }, - "should set apparmor when local profile is specified and privileged is true": { + "should return error when undefined local profile is specified and privileged is true": { profile: profileNamePrefix + "test-profile", privileged: true, - specOpts: apparmor.WithProfile("test-profile"), + expectErr: true, }, "should return error if specified profile is invalid": { profile: "test-profile",