MCPcopy
hub / github.com/lxc/incus / initAppArmor

Method initAppArmor

internal/server/sys/apparmor.go:22–84  ·  view source on GitHub ↗

Initialize AppArmor-specific attributes.

()

Source from the content-addressed store, hash-verified

20
21// Initialize AppArmor-specific attributes.
22func (s *OS) initAppArmor() []cluster.Warning {
23 var dbWarnings []cluster.Warning
24
25 /* Detect AppArmor availability */
26 _, err := exec.LookPath("apparmor_parser")
27 if util.IsFalse(os.Getenv("INCUS_SECURITY_APPARMOR")) {
28 logger.Warnf("AppArmor support has been manually disabled")
29 dbWarnings = append(dbWarnings, cluster.Warning{
30 TypeCode: warningtype.AppArmorNotAvailable,
31 LastMessage: "Manually disabled",
32 })
33 } else if !internalUtil.IsDir("/sys/kernel/security/apparmor") {
34 logger.Warnf("AppArmor support has been disabled because of lack of kernel support")
35 dbWarnings = append(dbWarnings, cluster.Warning{
36 TypeCode: warningtype.AppArmorNotAvailable,
37 LastMessage: "Disabled because of lack of kernel support",
38 })
39 } else if err != nil {
40 logger.Warnf("AppArmor support has been disabled because 'apparmor_parser' couldn't be found")
41 dbWarnings = append(dbWarnings, cluster.Warning{
42 TypeCode: warningtype.AppArmorNotAvailable,
43 LastMessage: "Disabled because 'apparmor_parser' couldn't be found",
44 })
45 } else {
46 s.AppArmorAvailable = true
47 }
48
49 /* Detect AppArmor stacking support */
50 s.AppArmorStacking = appArmorCanStack()
51
52 /* Detect existing AppArmor stack */
53 if util.PathExists("/sys/kernel/security/apparmor/.ns_stacked") {
54 contentBytes, err := os.ReadFile("/sys/kernel/security/apparmor/.ns_stacked")
55 if err == nil && string(contentBytes) == "yes\n" {
56 s.AppArmorStacked = true
57 }
58 }
59
60 /* Detect AppArmor admin support */
61 if !haveMacAdmin() {
62 if s.AppArmorAvailable {
63 logger.Warnf("Per-container AppArmor profiles are disabled because the mac_admin capability is missing")
64 }
65 } else if s.RunningInUserNS && !s.AppArmorStacked {
66 if s.AppArmorAvailable {
67 logger.Warnf("Per-container AppArmor profiles are disabled because Incus is running in an unprivileged container without stacking")
68 }
69 } else {
70 s.AppArmorAdmin = true
71 }
72
73 /* Detect AppArmor confinment */
74 profile := localUtil.AppArmorProfile()
75 if profile != "unconfined" && profile != "" {
76 if s.AppArmorAvailable {
77 logger.Warnf("Per-container AppArmor profiles are disabled because Incus is already protected by AppArmor")
78 }
79

Callers 1

InitMethod · 0.95

Calls 6

IsFalseFunction · 0.92
WarnfFunction · 0.92
PathExistsFunction · 0.92
appArmorCanStackFunction · 0.85
haveMacAdminFunction · 0.85
IsDirMethod · 0.80

Tested by

no test coverage detected