[lxc-devel] [lxd/master] Support AppArmor policy cache directory
monstermunchkin on Github
lxc-bot at linuxcontainers.org
Wed Nov 14 01:31:25 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20181114/ce9830f8/attachment.bin>
-------------- next part --------------
From db6a032d3457b2ca9c9ea9f7678a6d251e8a8583 Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Tue, 16 Oct 2018 15:36:45 +0200
Subject: [PATCH 1/2] lxd: Handle AppArmor policy cache directory
Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
lxd/apparmor.go | 47 ++++++++++++++++++++++++++++++++++++-----------
1 file changed, 36 insertions(+), 11 deletions(-)
diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index e040c8c261..644a203549 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -431,6 +431,27 @@ func runApparmor(command string, c container) error {
return err
}
+func getAACacheDir() string {
+ basePath := path.Join(aaPath, "cache")
+
+ major, minor, _, err := getAAParserVersion()
+ if err != nil {
+ return basePath
+ }
+
+ // multiple policy cache directories were only added in v2.13
+ if major >= 2 && minor <= 12 {
+ return basePath
+ }
+
+ output, err := shared.RunCommand("apparmor_parser", "-L", basePath, "--print-cache-dir")
+ if err != nil {
+ return basePath
+ }
+
+ return strings.TrimSpace(output)
+}
+
func mkApparmorNamespace(c container, namespace string) error {
state := c.DaemonState()
if !state.OS.AppArmorStacking || state.OS.AppArmorStacked {
@@ -531,21 +552,12 @@ func AADeleteProfile(c container) {
/* It's ok if these deletes fail: if the container was never started,
* we'll have never written a profile or cached it.
*/
- os.Remove(path.Join(aaPath, "cache", AAProfileShort(c)))
+ os.Remove(path.Join(getAACacheDir(), AAProfileShort(c)))
os.Remove(path.Join(aaPath, "profiles", AAProfileShort(c)))
}
func aaParserSupports(feature string) bool {
- out, err := shared.RunCommand("apparmor_parser", "--version")
- if err != nil {
- return false
- }
-
- major := 0
- minor := 0
- micro := 0
-
- _, err = fmt.Sscanf(strings.Split(out, "\n")[0], "AppArmor parser version %d.%d.%d", &major, &minor, µ)
+ major, minor, micro, err := getAAParserVersion()
if err != nil {
return false
}
@@ -567,3 +579,16 @@ func aaParserSupports(feature string) bool {
return true
}
+
+func getAAParserVersion() (major int, minor int, micro int, err error) {
+ var out string
+
+ out, err = shared.RunCommand("apparmor_parser", "--version")
+ if err != nil {
+ return
+ }
+
+ _, err = fmt.Sscanf(strings.Split(out, "\n")[0], "AppArmor parser version %d.%d.%d", &major, &minor, µ)
+
+ return
+}
From 11cc65d562c4634203626b641591426ed87bc106 Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Tue, 16 Oct 2018 15:37:52 +0200
Subject: [PATCH 2/2] test: Support AppArmor policy cache directory
Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
test/includes/lxd.sh | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/test/includes/lxd.sh b/test/includes/lxd.sh
index 4d5447692a..b3353a2cba 100644
--- a/test/includes/lxd.sh
+++ b/test/includes/lxd.sh
@@ -199,13 +199,20 @@ kill_lxd() {
if [ "${check_leftovers}" = "true" ]; then
echo "==> Checking for leftover files"
rm -f "${daemon_dir}/containers/lxc-monitord.log"
- rm -f "${daemon_dir}/security/apparmor/cache/.features"
+
+ # Support AppArmor policy cache directory
+ if apparmor_parser --help | grep -q -- --'print-cache.dir'; then
+ apparmor_cache_dir="$(apparmor_parser -L "${daemon_dir}"/security/apparmor/cache --print-cache-dir)"
+ else
+ apparmor_cache_dir="${daemon_dir}/security/apparmor/cache"
+ fi
+ rm -f "${apparmor_cache_dir}/.features"
check_empty "${daemon_dir}/containers/"
check_empty "${daemon_dir}/devices/"
check_empty "${daemon_dir}/images/"
# FIXME: Once container logging rework is done, uncomment
# check_empty "${daemon_dir}/logs/"
- check_empty "${daemon_dir}/security/apparmor/cache/"
+ check_empty "${apparmor_cache_dir}"
check_empty "${daemon_dir}/security/apparmor/profiles/"
check_empty "${daemon_dir}/security/seccomp/"
check_empty "${daemon_dir}/shmounts/"
More information about the lxc-devel
mailing list