github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #1464 from mikebrow/test-apparmor-profile

Browse Source 
move up to latest critools; add apparmor profile check
This commit is contained in:
Wei Fu
2020-04-27 11:16:28 +08:00
committed by GitHub
parent 14c4b47bb1 776c125e4f
commit 197dca5a35
3 changed files with 45 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hack/utils.sh
View File

@@ -17,7 +17,7 @@
ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/.. ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/..
# Not from vendor.conf. # Not from vendor.conf.
CRITOOL_VERSION=v1.16.1 CRITOOL_VERSION=v1.18.0
CRITOOL_PKG=github.com/kubernetes-sigs/cri-tools CRITOOL_PKG=github.com/kubernetes-sigs/cri-tools
CRITOOL_REPO=github.com/kubernetes-sigs/cri-tools CRITOOL_REPO=github.com/kubernetes-sigs/cri-tools

39
pkg/server/container_create_unix.go
View File

@@ -19,6 +19,9 @@
package server package server
import ( import (
"bufio"
"io"
"os"
"strconv" "strconv"
"strings" "strings"
@@ -353,7 +356,41 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
if !strings.HasPrefix(apparmorProf, profileNamePrefix) { if !strings.HasPrefix(apparmorProf, profileNamePrefix) {
return nil, errors.Errorf("invalid apparmor profile %q", apparmorProf) return nil, errors.Errorf("invalid apparmor profile %q", apparmorProf)
} }
return apparmor.WithProfile(strings.TrimPrefix(apparmorProf, profileNamePrefix)), nil appArmorProfile := strings.TrimPrefix(apparmorProf, profileNamePrefix)
if profileExists, err := appArmorProfileExists(appArmorProfile); !profileExists {
if err != nil {
return nil, errors.Wrap(err, "failed to generate apparmor spec opts")
}
return nil, errors.Errorf("apparmor profile not found %s", appArmorProfile)
}
return apparmor.WithProfile(appArmorProfile), nil
}
}
// appArmorProfileExists scans apparmor/profiles for the requested profile
func appArmorProfileExists(profile string) (bool, error) {
if profile == "" {
return false, errors.New("nil apparmor profile is not supported")
}
profiles, err := os.Open("/sys/kernel/security/apparmor/profiles")
if err != nil {
return false, err
}
defer profiles.Close()
rbuff := bufio.NewReader(profiles)
for {
line, err := rbuff.ReadString('\n')
switch err {
case nil:
if strings.HasPrefix(line, profile+" (") {
return true, nil
}
case io.EOF:
return false, nil
default:
return false, err
}
} }
} }

9
pkg/server/container_create_unix_test.go
View File

@@ -882,14 +882,15 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
profile: runtimeDefault, profile: runtimeDefault,
privileged: true, privileged: true,
}, },
"should set specified profile when local profile is specified": { // TODO (mikebrow) add success with exising defined profile tests
"should return error when undefined local profile is specified": {
profile: profileNamePrefix + "test-profile", profile: profileNamePrefix + "test-profile",
specOpts: apparmor.WithProfile("test-profile"), expectErr: true,
}, },
"should set apparmor when local profile is specified and privileged is true": { "should return error when undefined local profile is specified and privileged is true": {
profile: profileNamePrefix + "test-profile", profile: profileNamePrefix + "test-profile",
privileged: true, privileged: true,
specOpts: apparmor.WithProfile("test-profile"), expectErr: true,
}, },
"should return error if specified profile is invalid": { "should return error if specified profile is invalid": {
profile: "test-profile", profile: "test-profile",