[lxc-devel] [lxd/master] Support AppArmor policy cache directory

Wed Nov 14 01:31:25 UTC 2018

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20181114/ce9830f8/attachment.bin>
-------------- next part --------------
From db6a032d3457b2ca9c9ea9f7678a6d251e8a8583 Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Tue, 16 Oct 2018 15:36:45 +0200
Subject: [PATCH 1/2] lxd: Handle AppArmor policy cache directory

Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
 lxd/apparmor.go | 47 ++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 36 insertions(+), 11 deletions(-)

diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index e040c8c261..644a203549 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -431,6 +431,27 @@ func runApparmor(command string, c container) error {
 	return err
 }
 
+func getAACacheDir() string {
+	basePath := path.Join(aaPath, "cache")
+
+	major, minor, _, err := getAAParserVersion()
+	if err != nil {
+		return basePath
+	}
+
+	// multiple policy cache directories were only added in v2.13
+	if major >= 2 && minor <= 12 {
+		return basePath
+	}
+
+	output, err := shared.RunCommand("apparmor_parser", "-L", basePath, "--print-cache-dir")
+	if err != nil {
+		return basePath
+	}
+
+	return strings.TrimSpace(output)
+}
+
 func mkApparmorNamespace(c container, namespace string) error {
 	state := c.DaemonState()
 	if !state.OS.AppArmorStacking || state.OS.AppArmorStacked {
@@ -531,21 +552,12 @@ func AADeleteProfile(c container) {
 	/* It's ok if these deletes fail: if the container was never started,
 	 * we'll have never written a profile or cached it.
 	 */
-	os.Remove(path.Join(aaPath, "cache", AAProfileShort(c)))
+	os.Remove(path.Join(getAACacheDir(), AAProfileShort(c)))
 	os.Remove(path.Join(aaPath, "profiles", AAProfileShort(c)))
 }
 
 func aaParserSupports(feature string) bool {
-	out, err := shared.RunCommand("apparmor_parser", "--version")
-	if err != nil {
-		return false
-	}
-
-	major := 0
-	minor := 0
-	micro := 0
-
-	_, err = fmt.Sscanf(strings.Split(out, "\n")[0], "AppArmor parser version %d.%d.%d", &major, &minor, &micro)
+	major, minor, micro, err := getAAParserVersion()
 	if err != nil {
 		return false
 	}
@@ -567,3 +579,16 @@ func aaParserSupports(feature string) bool {
 
 	return true
 }
+
+func getAAParserVersion() (major int, minor int, micro int, err error) {
+	var out string
+
+	out, err = shared.RunCommand("apparmor_parser", "--version")
+	if err != nil {
+		return
+	}
+
+	_, err = fmt.Sscanf(strings.Split(out, "\n")[0], "AppArmor parser version %d.%d.%d", &major, &minor, &micro)
+
+	return
+}

From 11cc65d562c4634203626b641591426ed87bc106 Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Tue, 16 Oct 2018 15:37:52 +0200
Subject: [PATCH 2/2] test: Support AppArmor policy cache directory

Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
 test/includes/lxd.sh | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/test/includes/lxd.sh b/test/includes/lxd.sh
index 4d5447692a..b3353a2cba 100644
--- a/test/includes/lxd.sh
+++ b/test/includes/lxd.sh
@@ -199,13 +199,20 @@ kill_lxd() {
     if [ "${check_leftovers}" = "true" ]; then
         echo "==> Checking for leftover files"
         rm -f "${daemon_dir}/containers/lxc-monitord.log"
-        rm -f "${daemon_dir}/security/apparmor/cache/.features"
+
+        # Support AppArmor policy cache directory
+        if apparmor_parser --help | grep -q -- --'print-cache.dir'; then
+          apparmor_cache_dir="$(apparmor_parser -L "${daemon_dir}"/security/apparmor/cache --print-cache-dir)"
+        else
+          apparmor_cache_dir="${daemon_dir}/security/apparmor/cache"
+        fi
+        rm -f "${apparmor_cache_dir}/.features"
         check_empty "${daemon_dir}/containers/"
         check_empty "${daemon_dir}/devices/"
         check_empty "${daemon_dir}/images/"
         # FIXME: Once container logging rework is done, uncomment
         # check_empty "${daemon_dir}/logs/"
-        check_empty "${daemon_dir}/security/apparmor/cache/"
+        check_empty "${apparmor_cache_dir}"
         check_empty "${daemon_dir}/security/apparmor/profiles/"
         check_empty "${daemon_dir}/security/seccomp/"
         check_empty "${daemon_dir}/shmounts/"
