MCPcopy
hub / github.com/lxc/incus / ForkproxyLoad

Function ForkproxyLoad

internal/server/apparmor/instance_forkproxy.go:95–131  ·  view source on GitHub ↗

ForkproxyLoad ensures that the instances's policy is loaded into the kernel so the it can boot.

(sysOS *sys.OS, inst instance, dev device)

Source from the content-addressed store, hash-verified

93
94// ForkproxyLoad ensures that the instances's policy is loaded into the kernel so the it can boot.
95func ForkproxyLoad(sysOS *sys.OS, inst instance, dev device) error {
96 /* In order to avoid forcing a profile parse (potentially slow) on
97 * every container start, let's use AppArmor's binary policy cache,
98 * which checks mtime of the files to figure out if the policy needs to
99 * be regenerated.
100 *
101 * Since it uses mtimes, we shouldn't just always write out our local
102 * AppArmor template; instead we should check to see whether the
103 * template is the same as ours. If it isn't we should write our
104 * version out so that the new changes are reflected and we definitely
105 * force a recompile.
106 */
107 profile := filepath.Join(aaPath, "profiles", forkproxyProfileFilename(inst, dev))
108 content, err := os.ReadFile(profile)
109 if err != nil && !errors.Is(err, fs.ErrNotExist) {
110 return err
111 }
112
113 updated, err := forkproxyProfile(sysOS, inst, dev)
114 if err != nil {
115 return err
116 }
117
118 if string(content) != string(updated) {
119 err = os.WriteFile(profile, []byte(updated), 0o600)
120 if err != nil {
121 return err
122 }
123 }
124
125 err = loadProfile(sysOS, forkproxyProfileFilename(inst, dev))
126 if err != nil {
127 return err
128 }
129
130 return nil
131}
132
133// ForkproxyUnload ensures that the instances's policy namespace is unloaded to free kernel memory.
134// This does not delete the policy from disk or cache.

Callers 1

StartMethod · 0.92

Calls 4

forkproxyProfileFilenameFunction · 0.85
forkproxyProfileFunction · 0.85
loadProfileFunction · 0.85
WriteFileMethod · 0.65

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…