1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
// +build linux
package apparmor // import "github.com/docker/docker/profiles/apparmor"
import (
"bufio"
"io"
"io/ioutil"
"os"
"path"
"strings"
"text/template"
"github.com/docker/docker/pkg/aaparser"
)
var (
// profileDirectory is the file store for apparmor profiles and macros.
profileDirectory = "/etc/apparmor.d"
)
// profileData holds information about the given profile for generation.
type profileData struct {
// Name is profile name.
Name string
// DaemonProfile is the profile name of our daemon.
DaemonProfile string
// Imports defines the apparmor functions to import, before defining the profile.
Imports []string
// InnerImports defines the apparmor functions to import in the profile.
InnerImports []string
// Version is the {major, minor, patch} version of apparmor_parser as a single number.
Version int
}
// generateDefault creates an apparmor profile from ProfileData.
func (p *profileData) generateDefault(out io.Writer) error {
compiled, err := template.New("apparmor_profile").Parse(baseTemplate)
if err != nil {
return err
}
if macroExists("tunables/global") {
p.Imports = append(p.Imports, "#include <tunables/global>")
} else {
p.Imports = append(p.Imports, "@{PROC}=/proc/")
}
if macroExists("abstractions/base") {
p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")
}
ver, err := aaparser.GetVersion()
if err != nil {
return err
}
p.Version = ver
return compiled.Execute(out, p)
}
// macrosExists checks if the passed macro exists.
func macroExists(m string) bool {
_, err := os.Stat(path.Join(profileDirectory, m))
return err == nil
}
// InstallDefault generates a default profile in a temp directory determined by
// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'.
func InstallDefault(name string) error {
p := profileData{
Name: name,
}
// Figure out the daemon profile.
currentProfile, err := ioutil.ReadFile("/proc/self/attr/current")
if err != nil {
// If we couldn't get the daemon profile, assume we are running
// unconfined which is generally the default.
currentProfile = nil
}
daemonProfile := string(currentProfile)
// Normally profiles are suffixed by " (enforcing)" or similar. AppArmor
// profiles cannot contain spaces so this doesn't restrict daemon profile
// names.
if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 {
daemonProfile = parts[0]
}
if daemonProfile == "" {
daemonProfile = "unconfined"
}
p.DaemonProfile = daemonProfile
// Install to a temporary directory.
f, err := ioutil.TempFile("", name)
if err != nil {
return err
}
profilePath := f.Name()
defer f.Close()
defer os.Remove(profilePath)
if err := p.generateDefault(f); err != nil {
return err
}
return aaparser.LoadProfile(profilePath)
}
// IsLoaded checks if a profile with the given name has been loaded into the
// kernel.
func IsLoaded(name string) (bool, error) {
file, err := os.Open("/sys/kernel/security/apparmor/profiles")
if err != nil {
return false, err
}
defer file.Close()
r := bufio.NewReader(file)
for {
p, err := r.ReadString('\n')
if err == io.EOF {
break
}
if err != nil {
return false, err
}
if strings.HasPrefix(p, name+" ") {
return true, nil
}
}
return false, nil
}
|
