ForkproxyLoad ensures that the instances's policy is loaded into the kernel so the it can boot.
(sysOS *sys.OS, inst instance, dev device)
| 93 | |
| 94 | // ForkproxyLoad ensures that the instances's policy is loaded into the kernel so the it can boot. |
| 95 | func ForkproxyLoad(sysOS *sys.OS, inst instance, dev device) error { |
| 96 | /* In order to avoid forcing a profile parse (potentially slow) on |
| 97 | * every container start, let's use AppArmor's binary policy cache, |
| 98 | * which checks mtime of the files to figure out if the policy needs to |
| 99 | * be regenerated. |
| 100 | * |
| 101 | * Since it uses mtimes, we shouldn't just always write out our local |
| 102 | * AppArmor template; instead we should check to see whether the |
| 103 | * template is the same as ours. If it isn't we should write our |
| 104 | * version out so that the new changes are reflected and we definitely |
| 105 | * force a recompile. |
| 106 | */ |
| 107 | profile := filepath.Join(aaPath, "profiles", forkproxyProfileFilename(inst, dev)) |
| 108 | content, err := os.ReadFile(profile) |
| 109 | if err != nil && !errors.Is(err, fs.ErrNotExist) { |
| 110 | return err |
| 111 | } |
| 112 | |
| 113 | updated, err := forkproxyProfile(sysOS, inst, dev) |
| 114 | if err != nil { |
| 115 | return err |
| 116 | } |
| 117 | |
| 118 | if string(content) != string(updated) { |
| 119 | err = os.WriteFile(profile, []byte(updated), 0o600) |
| 120 | if err != nil { |
| 121 | return err |
| 122 | } |
| 123 | } |
| 124 | |
| 125 | err = loadProfile(sysOS, forkproxyProfileFilename(inst, dev)) |
| 126 | if err != nil { |
| 127 | return err |
| 128 | } |
| 129 | |
| 130 | return nil |
| 131 | } |
| 132 | |
| 133 | // ForkproxyUnload ensures that the instances's policy namespace is unloaded to free kernel memory. |
| 134 | // This does not delete the policy from disk or cache. |
no test coverage detected
searching dependent graphs…