instanceProfile generates the AppArmor profile template from the given instance.
(sysOS *sys.OS, inst instance, extraBinaries []string)
| 146 | |
| 147 | // instanceProfile generates the AppArmor profile template from the given instance. |
| 148 | func instanceProfile(sysOS *sys.OS, inst instance, extraBinaries []string) (string, error) { |
| 149 | // Prepare raw.apparmor. |
| 150 | var rawContent strings.Builder |
| 151 | rawApparmor, ok := inst.ExpandedConfig()["raw.apparmor"] |
| 152 | if ok { |
| 153 | for _, line := range strings.Split(strings.Trim(rawApparmor, "\n"), "\n") { |
| 154 | fmt.Fprintf(&rawContent, " %s\n", line) |
| 155 | } |
| 156 | } |
| 157 | |
| 158 | // Check for features. |
| 159 | unixSupported, err := parserSupports(sysOS, "unix") |
| 160 | if err != nil { |
| 161 | return "", err |
| 162 | } |
| 163 | |
| 164 | usernsSupported, err := parserSupports(sysOS, "userns") |
| 165 | if err != nil { |
| 166 | return "", err |
| 167 | } |
| 168 | |
| 169 | // Deref the extra binaries. |
| 170 | for i, entry := range extraBinaries { |
| 171 | fullPath, err := filepath.EvalSymlinks(entry) |
| 172 | if err != nil { |
| 173 | continue |
| 174 | } |
| 175 | |
| 176 | extraBinaries[i] = fullPath |
| 177 | } |
| 178 | |
| 179 | // Render the profile. |
| 180 | sb := &strings.Builder{} |
| 181 | if inst.Type() == instancetype.Container { |
| 182 | err = lxcProfileTpl.Execute(sb, map[string]any{ |
| 183 | "extra_binaries": extraBinaries, |
| 184 | "feature_stacking": sysOS.AppArmorStacking && !sysOS.AppArmorStacked, |
| 185 | "feature_unix": unixSupported, |
| 186 | "feature_userns": usernsSupported, |
| 187 | "kernel_binfmt": util.IsFalseOrEmpty(inst.ExpandedConfig()["security.privileged"]), |
| 188 | "name": InstanceProfileName(inst), |
| 189 | "namespace": InstanceNamespaceName(inst), |
| 190 | "nesting": util.IsTrue(inst.ExpandedConfig()["security.nesting"]), |
| 191 | "raw": rawContent.String(), |
| 192 | "unprivileged": util.IsFalseOrEmpty(inst.ExpandedConfig()["security.privileged"]) || sysOS.RunningInUserNS, |
| 193 | "zfs_delegation": !inst.IsPrivileged() && storageDrivers.ZFSSupportsDelegation() && util.PathExists("/dev/zfs"), |
| 194 | }) |
| 195 | if err != nil { |
| 196 | return "", err |
| 197 | } |
| 198 | } else { |
| 199 | // AppArmor requires deref of all paths. |
| 200 | path, err := filepath.EvalSymlinks(inst.Path()) |
| 201 | if err != nil { |
| 202 | return "", err |
| 203 | } |
| 204 | |
| 205 | var edk2Paths []string |
no test coverage detected
searching dependent graphs…