1b9b11db | // +build apparmor,linux |
c89fa664 | |
cb4189a2 | package apparmor import ( |
cfb97643 | "fmt" |
cb4189a2 | "io/ioutil" |
5f4bc4f9 | "os" |
cb4189a2 | ) |
c86189d5 | // IsEnabled returns true if apparmor is enabled for the host. |
37f137c8 | func IsEnabled() bool { |
de191e86 | if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" { |
80a89514 | if _, err = os.Stat("/sbin/apparmor_parser"); err == nil { buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled") return err == nil && len(buf) > 1 && buf[0] == 'Y' } |
5f4bc4f9 | } return false |
cb4189a2 | } |
f58aa310 | func setprocattr(attr, value string) error { // Under AppArmor you can only change your own attr, so use /proc/self/ // instead of /proc/<tid>/ like libapparmor does path := fmt.Sprintf("/proc/self/attr/%s", attr) f, err := os.OpenFile(path, os.O_WRONLY, 0) if err != nil { return err } defer f.Close() _, err = fmt.Fprintf(f, "%s", value) return err } // changeOnExec reimplements aa_change_onexec from libapparmor in Go func changeOnExec(name string) error { value := "exec " + name if err := setprocattr("exec", value); err != nil { return fmt.Errorf("apparmor failed to apply profile: %s", err) } return nil } |
c86189d5 | // ApplyProfile will apply the profile with the specified name to the process after // the next exec. |
76fa7d58 | func ApplyProfile(name string) error { |
87f0d63f | if name == "" { |
37f137c8 | return nil |
cb4189a2 | } |
f58aa310 | return changeOnExec(name) |
cb4189a2 | } |