MCPcopy
hub / github.com/lxc/incus / instanceProfile

Function instanceProfile

internal/server/apparmor/instance.go:148–291  ·  view source on GitHub ↗

instanceProfile generates the AppArmor profile template from the given instance.

(sysOS *sys.OS, inst instance, extraBinaries []string)

Source from the content-addressed store, hash-verified

146
147// instanceProfile generates the AppArmor profile template from the given instance.
148func instanceProfile(sysOS *sys.OS, inst instance, extraBinaries []string) (string, error) {
149 // Prepare raw.apparmor.
150 var rawContent strings.Builder
151 rawApparmor, ok := inst.ExpandedConfig()["raw.apparmor"]
152 if ok {
153 for _, line := range strings.Split(strings.Trim(rawApparmor, "\n"), "\n") {
154 fmt.Fprintf(&rawContent, " %s\n", line)
155 }
156 }
157
158 // Check for features.
159 unixSupported, err := parserSupports(sysOS, "unix")
160 if err != nil {
161 return "", err
162 }
163
164 usernsSupported, err := parserSupports(sysOS, "userns")
165 if err != nil {
166 return "", err
167 }
168
169 // Deref the extra binaries.
170 for i, entry := range extraBinaries {
171 fullPath, err := filepath.EvalSymlinks(entry)
172 if err != nil {
173 continue
174 }
175
176 extraBinaries[i] = fullPath
177 }
178
179 // Render the profile.
180 sb := &strings.Builder{}
181 if inst.Type() == instancetype.Container {
182 err = lxcProfileTpl.Execute(sb, map[string]any{
183 "extra_binaries": extraBinaries,
184 "feature_stacking": sysOS.AppArmorStacking && !sysOS.AppArmorStacked,
185 "feature_unix": unixSupported,
186 "feature_userns": usernsSupported,
187 "kernel_binfmt": util.IsFalseOrEmpty(inst.ExpandedConfig()["security.privileged"]),
188 "name": InstanceProfileName(inst),
189 "namespace": InstanceNamespaceName(inst),
190 "nesting": util.IsTrue(inst.ExpandedConfig()["security.nesting"]),
191 "raw": rawContent.String(),
192 "unprivileged": util.IsFalseOrEmpty(inst.ExpandedConfig()["security.privileged"]) || sysOS.RunningInUserNS,
193 "zfs_delegation": !inst.IsPrivileged() && storageDrivers.ZFSSupportsDelegation() && util.PathExists("/dev/zfs"),
194 })
195 if err != nil {
196 return "", err
197 }
198 } else {
199 // AppArmor requires deref of all paths.
200 path, err := filepath.EvalSymlinks(inst.Path())
201 if err != nil {
202 return "", err
203 }
204
205 var edk2Paths []string

Callers 1

instanceProfileGenerateFunction · 0.85

Calls 15

IsFalseOrEmptyFunction · 0.92
IsTrueFunction · 0.92
PathExistsFunction · 0.92
GetenvEdk2PathFunction · 0.92
ArchitectureGetLocalIDFunction · 0.92
parserSupportsFunction · 0.85
InstanceProfileNameFunction · 0.85
InstanceNamespaceNameFunction · 0.85
SplitMethod · 0.80
TrimMethod · 0.80
ExecuteMethod · 0.80

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…