github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #8086 from neersighted/apparmor_parser_regression

Browse Source 
Revert `apparmor_parser` regression
This commit is contained in:
Fu Wei 2023-02-11 09:27:53 +08:00 committed by GitHub
commit cf7b705dcd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/apparmor/apparmor.go
View File

@ -16,13 +16,13 @@
package apparmor package apparmor
// HostSupports returns true if apparmor is enabled for the host, // On non-Linux returns false // HostSupports returns true if apparmor is enabled for the host:
// On Linux returns true if apparmor_parser is enabled, and if we // - On Linux returns true if apparmor is enabled, apparmor_parser is
// present, and if we are not running docker-in-docker.
// - On non-Linux returns false.
// //
// are not running docker-in-docker. // This is derived from libcontainer/apparmor.IsEnabled(), with the addition
// // of checks for apparmor_parser to be present and docker-in-docker.
// It is a modified version of libcontainer/apparmor.IsEnabled(), which does not
// check for apparmor_parser to be present, or if we're running docker-in-docker.
func HostSupports() bool { func HostSupports() bool {
return hostSupports() return hostSupports()
} }

6
pkg/apparmor/apparmor_linux.go
View File

@ -29,15 +29,17 @@ var (
// hostSupports returns true if apparmor is enabled for the host, if // hostSupports returns true if apparmor is enabled for the host, if
// apparmor_parser is enabled, and if we are not running docker-in-docker. // apparmor_parser is enabled, and if we are not running docker-in-docker.
// //
// It is a modified version of libcontainer/apparmor.IsEnabled(), which does not // This is derived from libcontainer/apparmor.IsEnabled(), with the addition
// check for apparmor_parser to be present, or if we're running docker-in-docker. // of checks for apparmor_parser to be present and docker-in-docker.
func hostSupports() bool { func hostSupports() bool {
checkAppArmor.Do(func() { checkAppArmor.Do(func() {
// see https://github.com/opencontainers/runc/blob/0d49470392206f40eaab3b2190a57fe7bb3df458/libcontainer/apparmor/apparmor_linux.go // see https://github.com/opencontainers/runc/blob/0d49470392206f40eaab3b2190a57fe7bb3df458/libcontainer/apparmor/apparmor_linux.go
if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" { if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
buf, err := os.ReadFile("/sys/module/apparmor/parameters/enabled") buf, err := os.ReadFile("/sys/module/apparmor/parameters/enabled")
appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y' appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y'
} }
}
}) })
return appArmorSupported return appArmorSupported
} }