We use cookies to ensure you get the best experience on our website
Inicio Explorar Ayuda
Registro Iniciar sesión
0ct0pu5
/
moby
1
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Explorar el Código

Generate imports based on what is avaliable
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)

Michael Crosby hace 11 años
padre
6c26a87901
commit
3061a6a2ab
Se han modificado 2 ficheros con 107 adiciones y 46 borrados
Dividir vista Mostrar estadísticas de diff
  1. 92 0
      pkg/apparmor/gen.go
  2. 15 46
      pkg/apparmor/setup.go

+ 92 - 0
pkg/apparmor/gen.go
Ver fichero 

@@ -0,0 +1,92 @@
 
+package apparmor
 
+
 
+import (
 
+	"io"
 
+	"os"
 
+	"text/template"
 
+)
 
+
 
+type data struct {
 
+	Name         string
 
+	Imports      []string
 
+	InnerImports []string
 
+}
 
+
 
+const baseTemplate = `
 
+{{range $value := .Imports}}
 
+{{$value}}
 
+{{end}}
 
+
 
+profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
 
+{{range $value := .InnerImports}}
 
+  {{$value}}
 
+{{end}}
 
+
 
+  network,
 
+  capability,
 
+  file,
 
+  umount,
 
+
 
+  mount fstype=tmpfs,
 
+  mount fstype=mqueue,
 
+  mount fstype=fuse.*,
 
+  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
 
+  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
 
+  mount fstype=fusectl -> /sys/fs/fuse/connections/,
 
+  mount fstype=securityfs -> /sys/kernel/security/,
 
+  mount fstype=debugfs -> /sys/kernel/debug/,
 
+  mount fstype=proc -> /proc/,
 
+  mount fstype=sysfs -> /sys/,
 
+
 
+  deny @{PROC}/sys/fs/** wklx,
 
+  deny @{PROC}/sysrq-trigger rwklx,
 
+  deny @{PROC}/mem rwklx,
 
+  deny @{PROC}/kmem rwklx,
 
+  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
 
+  deny @{PROC}/sys/kernel/*/** wklx,
 
+
 
+  deny mount options=(ro, remount) -> /,
 
+  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
 
+  deny mount fstype=devpts,
 
+
 
+  deny /sys/[^f]*/** wklx,
 
+  deny /sys/f[^s]*/** wklx,
 
+  deny /sys/fs/[^c]*/** wklx,
 
+  deny /sys/fs/c[^g]*/** wklx,
 
+  deny /sys/fs/cg[^r]*/** wklx,
 
+  deny /sys/firmware/efi/efivars/** rwklx,
 
+  deny /sys/kernel/security/** rwklx,
 
+}
 
+`
 
+
 
+func generateProfile(out io.Writer) error {
 
+	compiled, err := template.New("apparmor_profile").Parse(baseTemplate)
 
+	if err != nil {
 
+		return err
 
+	}
 
+	data := &data{
 
+		Name: "docker-default",
 
+	}
 
+	if tuntablesExists() {
 
+		data.Imports = append(data.Imports, "#include <tunables/global>")
 
+	}
 
+	if abstrctionsEsists() {
 
+		data.InnerImports = append(data.InnerImports, "#include <abstractions/base>")
 
+	}
 
+	if err := compiled.Execute(out, data); err != nil {
 
+		return err
 
+	}
 
+	return nil
 
+}
 
+
 
+// check if the tunables/global exist
 
+func tuntablesExists() bool {
 
+	_, err := os.Stat("/etc/apparmor.d/tunables/global")
 
+	return err == nil
 
+}
 
+
 
+// check if abstractions/base exist
 
+func abstrctionsEsists() bool {
 
+	_, err := os.Stat("/etc/apparmor.d/abstractions/base")
 
+	return err == nil
 
+}

+ 15 - 46
pkg/apparmor/setup.go
Ver fichero 

@@ -3,7 +3,6 @@ package apparmor
 
 import (
 
 	"fmt"
 
 	"io"
 
-	"io/ioutil"
 
 	"os"
 
 	"os/exec"
 
 	"path"
 
@@ -13,47 +12,6 @@ const (
 
 	DefaultProfilePath = "/etc/apparmor.d/docker"
 
 )
 
 
-const DefaultProfile = `
 
-#include <tunables/global>
 
-profile docker-default flags=(attach_disconnected,mediate_deleted) {
 
-  #include <abstractions/base>
 
-  network,
 
-  capability,
 
-  file,
 
-  umount,
 
-
 
-  mount fstype=tmpfs,
 
-  mount fstype=mqueue,
 
-  mount fstype=fuse.*,
 
-  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
 
-  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
 
-  mount fstype=fusectl -> /sys/fs/fuse/connections/,
 
-  mount fstype=securityfs -> /sys/kernel/security/,
 
-  mount fstype=debugfs -> /sys/kernel/debug/,
 
-  mount fstype=proc -> /proc/,
 
-  mount fstype=sysfs -> /sys/,
 
-
 
-  deny @{PROC}/sys/fs/** wklx,
 
-  deny @{PROC}/sysrq-trigger rwklx,
 
-  deny @{PROC}/mem rwklx,
 
-  deny @{PROC}/kmem rwklx,
 
-  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
 
-  deny @{PROC}/sys/kernel/*/** wklx,
 
-
 
-  deny mount options=(ro, remount) -> /,
 
-  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
 
-  deny mount fstype=devpts,
 
-
 
-  deny /sys/[^f]*/** wklx,
 
-  deny /sys/f[^s]*/** wklx,
 
-  deny /sys/fs/[^c]*/** wklx,
 
-  deny /sys/fs/c[^g]*/** wklx,
 
-  deny /sys/fs/cg[^r]*/** wklx,
 
-  deny /sys/firmware/efi/efivars/** rwklx,
 
-  deny /sys/kernel/security/** rwklx,
 
-}
 
-`
 
-
 
 func InstallDefaultProfile(backupPath string) error {
 
 	if !IsEnabled() {
 
 		return nil
 
@@ -95,15 +53,26 @@ func InstallDefaultProfile(backupPath string) error {
 
 		return err
 
 	}
 
 
-	if err := ioutil.WriteFile(DefaultProfilePath, []byte(DefaultProfile), 0644); err != nil {
 
+	f, err := os.OpenFile(DefaultProfilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
 
+	if err != nil {
 
+		return err
 
+	}
 
+	if err := generateProfile(f); err != nil {
 
+		f.Close()
 
 		return err
 
 	}
 
+	f.Close()
 
+
 
+	cmd := exec.Command("/sbin/apparmor_parser", "-r", "-W", "docker")
 
+	// to use the parser directly we have to make sure we are in the correct
 
+	// dir with the profile
 
+	cmd.Dir = "/etc/apparmor.d"
 
 
-	output, err := exec.Command("/sbin/apparmor_parser", "-r", "-W", "docker").CombinedOutput()
 
+	output, err := cmd.CombinedOutput()
 
 	if err != nil && !os.IsNotExist(err) {
 
 		if e, ok := err.(*exec.Error); ok {
 
-			// keeping with the current profile load code, if the parser does not exist then
 
-			// just return
 
+			// keeping with the current profile load code, if the parser does not
 
+			// exist then just return
 
 			if e.Err == exec.ErrNotFound || os.IsNotExist(e.Err) {
 
 				return nil
 
 			}

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5