| 1b9b11db | // +build apparmor,linux |
| c89fa664 | |
| cb4189a2 | package apparmor import ( |
| cfb97643 | "fmt" |
| cb4189a2 | "io/ioutil" |
| 5f4bc4f9 | "os" |
| cb4189a2 | ) |
| c86189d5 | // IsEnabled returns true if apparmor is enabled for the host. |
| 37f137c8 |
func IsEnabled() bool { |
| de191e86 |
if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" { |
| 80a89514 |
if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
return err == nil && len(buf) > 1 && buf[0] == 'Y'
} |
| 5f4bc4f9 | } return false |
| cb4189a2 | } |
| f58aa310 |
func setprocattr(attr, value string) error {
// Under AppArmor you can only change your own attr, so use /proc/self/
// instead of /proc/<tid>/ like libapparmor does
path := fmt.Sprintf("/proc/self/attr/%s", attr)
f, err := os.OpenFile(path, os.O_WRONLY, 0)
if err != nil {
return err
}
defer f.Close()
_, err = fmt.Fprintf(f, "%s", value)
return err
}
// changeOnExec reimplements aa_change_onexec from libapparmor in Go
func changeOnExec(name string) error {
value := "exec " + name
if err := setprocattr("exec", value); err != nil {
return fmt.Errorf("apparmor failed to apply profile: %s", err)
}
return nil
}
|
| c86189d5 | // ApplyProfile will apply the profile with the specified name to the process after // the next exec. |
| 76fa7d58 |
func ApplyProfile(name string) error { |
| 87f0d63f |
if name == "" { |
| 37f137c8 | return nil |
| cb4189a2 | } |
| f58aa310 | return changeOnExec(name) |
| cb4189a2 | } |