Initialize AppArmor-specific attributes.
()
| 20 | |
| 21 | // Initialize AppArmor-specific attributes. |
| 22 | func (s *OS) initAppArmor() []cluster.Warning { |
| 23 | var dbWarnings []cluster.Warning |
| 24 | |
| 25 | /* Detect AppArmor availability */ |
| 26 | _, err := exec.LookPath("apparmor_parser") |
| 27 | if util.IsFalse(os.Getenv("INCUS_SECURITY_APPARMOR")) { |
| 28 | logger.Warnf("AppArmor support has been manually disabled") |
| 29 | dbWarnings = append(dbWarnings, cluster.Warning{ |
| 30 | TypeCode: warningtype.AppArmorNotAvailable, |
| 31 | LastMessage: "Manually disabled", |
| 32 | }) |
| 33 | } else if !internalUtil.IsDir("/sys/kernel/security/apparmor") { |
| 34 | logger.Warnf("AppArmor support has been disabled because of lack of kernel support") |
| 35 | dbWarnings = append(dbWarnings, cluster.Warning{ |
| 36 | TypeCode: warningtype.AppArmorNotAvailable, |
| 37 | LastMessage: "Disabled because of lack of kernel support", |
| 38 | }) |
| 39 | } else if err != nil { |
| 40 | logger.Warnf("AppArmor support has been disabled because 'apparmor_parser' couldn't be found") |
| 41 | dbWarnings = append(dbWarnings, cluster.Warning{ |
| 42 | TypeCode: warningtype.AppArmorNotAvailable, |
| 43 | LastMessage: "Disabled because 'apparmor_parser' couldn't be found", |
| 44 | }) |
| 45 | } else { |
| 46 | s.AppArmorAvailable = true |
| 47 | } |
| 48 | |
| 49 | /* Detect AppArmor stacking support */ |
| 50 | s.AppArmorStacking = appArmorCanStack() |
| 51 | |
| 52 | /* Detect existing AppArmor stack */ |
| 53 | if util.PathExists("/sys/kernel/security/apparmor/.ns_stacked") { |
| 54 | contentBytes, err := os.ReadFile("/sys/kernel/security/apparmor/.ns_stacked") |
| 55 | if err == nil && string(contentBytes) == "yes\n" { |
| 56 | s.AppArmorStacked = true |
| 57 | } |
| 58 | } |
| 59 | |
| 60 | /* Detect AppArmor admin support */ |
| 61 | if !haveMacAdmin() { |
| 62 | if s.AppArmorAvailable { |
| 63 | logger.Warnf("Per-container AppArmor profiles are disabled because the mac_admin capability is missing") |
| 64 | } |
| 65 | } else if s.RunningInUserNS && !s.AppArmorStacked { |
| 66 | if s.AppArmorAvailable { |
| 67 | logger.Warnf("Per-container AppArmor profiles are disabled because Incus is running in an unprivileged container without stacking") |
| 68 | } |
| 69 | } else { |
| 70 | s.AppArmorAdmin = true |
| 71 | } |
| 72 | |
| 73 | /* Detect AppArmor confinment */ |
| 74 | profile := localUtil.AppArmorProfile() |
| 75 | if profile != "unconfined" && profile != "" { |
| 76 | if s.AppArmorAvailable { |
| 77 | logger.Warnf("Per-container AppArmor profiles are disabled because Incus is already protected by AppArmor") |
| 78 | } |
| 79 |
no test coverage detected