instanceProfileGenerate generates instance apparmor profile policy file.
(sysOS *sys.OS, inst instance, extraBinaries []string)
| 112 | |
| 113 | // instanceProfileGenerate generates instance apparmor profile policy file. |
| 114 | func instanceProfileGenerate(sysOS *sys.OS, inst instance, extraBinaries []string) error { |
| 115 | /* In order to avoid forcing a profile parse (potentially slow) on |
| 116 | * every container start, let's use AppArmor's binary policy cache, |
| 117 | * which checks mtime of the files to figure out if the policy needs to |
| 118 | * be regenerated. |
| 119 | * |
| 120 | * Since it uses mtimes, we shouldn't just always write out our local |
| 121 | * AppArmor template; instead we should check to see whether the |
| 122 | * template is the same as ours. If it isn't we should write our |
| 123 | * version out so that the new changes are reflected and we definitely |
| 124 | * force a recompile. |
| 125 | */ |
| 126 | profile := filepath.Join(aaPath, "profiles", instanceProfileFilename(inst)) |
| 127 | content, err := os.ReadFile(profile) |
| 128 | if err != nil && !errors.Is(err, fs.ErrNotExist) { |
| 129 | return err |
| 130 | } |
| 131 | |
| 132 | updated, err := instanceProfile(sysOS, inst, extraBinaries) |
| 133 | if err != nil { |
| 134 | return err |
| 135 | } |
| 136 | |
| 137 | if string(content) != string(updated) { |
| 138 | err = os.WriteFile(profile, []byte(updated), 0o600) |
| 139 | if err != nil { |
| 140 | return err |
| 141 | } |
| 142 | } |
| 143 | |
| 144 | return nil |
| 145 | } |
| 146 | |
| 147 | // instanceProfile generates the AppArmor profile template from the given instance. |
| 148 | func instanceProfile(sysOS *sys.OS, inst instance, extraBinaries []string) (string, error) { |
no test coverage detected
searching dependent graphs…