apparmor.go 957 B

123456789101112131415161718192021222324252627282930313233343536373839
  1. // +build apparmor,linux
  2. package apparmor
  3. // #cgo LDFLAGS: -lapparmor
  4. // #include <sys/apparmor.h>
  5. // #include <stdlib.h>
  6. import "C"
  7. import (
  8. "fmt"
  9. "io/ioutil"
  10. "os"
  11. "unsafe"
  12. )
  13. // IsEnabled returns true if apparmor is enabled for the host.
  14. func IsEnabled() bool {
  15. if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
  16. if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
  17. buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
  18. return err == nil && len(buf) > 1 && buf[0] == 'Y'
  19. }
  20. }
  21. return false
  22. }
  23. // ApplyProfile will apply the profile with the specified name to the process after
  24. // the next exec.
  25. func ApplyProfile(name string) error {
  26. if name == "" {
  27. return nil
  28. }
  29. cName := C.CString(name)
  30. defer C.free(unsafe.Pointer(cName))
  31. if _, err := C.aa_change_onexec(cName); err != nil {
  32. return fmt.Errorf("apparmor failed to apply profile: %s", err)
  33. }
  34. return nil
  35. }