Documentation
¶
Index ¶
- Variables
- func DecodeLabel(label string) (snap, app, hook string, err error)
- func KernelFeatures() ([]string, error)
- func LoadedProfiles() ([]string, error)
- func MockFeatures(kernelFeatures []string, kernelError error, parserFeatures []string, ...) (restore func())
- func MockLevel(level LevelType) (restore func())
- func ParserFeatures() ([]string, error)
- func ParserMtime() int64
- func ReloadAllSnapProfiles() error
- func SnapAppFromPid(pid int) (snap, app, hook string, err error)
- func Summary() string
- func UnloadProfiles(names []string, cacheDir string) error
- func UpdateHomedirsTunable(homedirs []string) error
- func ValidateNoAppArmorRegexp(s string) error
- type AaParserFlags
- type LevelType
Constants ¶
This section is empty.
Variables ¶
var ( ConfDir string CacheDir string SystemCacheDir string )
var LoadProfiles = func(fnames []string, cacheDir string, flags AaParserFlags) error { if len(fnames) == 0 { return nil } args := []string{"--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s", cacheDir)} if flags&ConserveCPU != 0 { args = append(args, numberOfJobsParam()) } if flags&SkipKernelLoad != 0 { args = append(args, "--skip-kernel-load") } if flags&SkipReadCache != 0 { args = append(args, "--skip-read-cache") } if !osutil.GetenvBool("SNAPD_DEBUG") { args = append(args, "--quiet") } args = append(args, fnames...) output, err := exec.Command("apparmor_parser", args...).CombinedOutput() if err != nil { return fmt.Errorf("cannot load apparmor profiles: %s\napparmor_parser output:\n%s", err, string(output)) } return nil }
LoadProfiles loads apparmor profiles from the given files.
If no such profiles were previously loaded then they are simply added to the kernel. If there were some profiles with the same name before, those profiles are replaced.
var SnapConfineDistroProfilePath = func() string { for _, profileName := range []string{ "usr.lib.snapd.snap-confine.real", "usr.lib.snapd.snap-confine", "usr.libexec.snapd.snap-confine", } { maybeProfilePath := filepath.Join(ConfDir, profileName) if osutil.FileExists(maybeProfilePath) { return maybeProfilePath } } return "" }
SnapConfineDistroProfilePath returns the path to the AppArmor profile of the snap-confine binary shipped by the distribution package. If such a profile is not found (for instance, because we are running Ubuntu Core) return an empty string
Functions ¶
func DecodeLabel ¶
func KernelFeatures ¶
KernelFeatures returns a sorted list of apparmor features like []string{"dbus", "network"}. The result is cached internally.
func LoadedProfiles ¶
LoadedProfiles interrogates the kernel and returns a list of loaded apparmor profiles.
Snappy manages apparmor profiles named "snap.*". Other profiles might exist on the system (via snappy dimension) and those are filtered-out.
func MockFeatures ¶
func MockFeatures(kernelFeatures []string, kernelError error, parserFeatures []string, parserError error) (restore func())
MockAppArmorFeatures makes the system believe it has certain kernel and parser features.
AppArmor level and summary are automatically re-assessed as needed on both the change and the restore process. Use this function to observe real assessment of arbitrary features.
func MockLevel ¶
func MockLevel(level LevelType) (restore func())
MockAppArmorLevel makes the system believe it has certain level of apparmor support.
AppArmor kernel and parser features are set to unrealistic values that do not match the requested level. Use this function to observe behavior that relies solely on the apparmor level value.
func ParserFeatures ¶
ParserFeatures returns a sorted list of apparmor parser features like []string{"unsafe", ...}. The computation is costly to perform. The result is cached internally.
func ParserMtime ¶
func ParserMtime() int64
ParserMtime returns the mtime of the AppArmor parser, else 0.
func ReloadAllSnapProfiles ¶
func ReloadAllSnapProfiles() error
ReloadAllSnapProfiles reload the AppArmor profiles of all installed snaps, as well as that of snap-confine. This method is meant to be called when some rules have been changed in AppArmor include files (like in the tunable files for HOMEDIRS or other variables) which are bound to affect most snaps.
func SnapAppFromPid ¶
func Summary ¶
func Summary() string
Summary describes how well apparmor is supported on the current kernel. The computation is costly to perform. The result is cached internally.
func UnloadProfiles ¶
UnloadProfiles is meant to remove the named profiles from the running kernel and then remove any cache files. Importantly, we can only unload profiles when we are sure there are no lingering processes from the snap (ie, forcibly stop all running processes from the snap). Otherwise, any running processes will become unconfined. Since we don't have this guarantee yet, leave the profiles loaded in the kernel but remove the cache files from the system so the policy is gone on the next reboot. LP: #1818241
func UpdateHomedirsTunable ¶
UpdateHomedirsTunable sets the AppArmor HOMEDIRS tunable to the list of the specified directories. This directly affects the value of the AppArmor @{HOME} variable. See the "/etc/apparmor.d/tunables/home" file for more information.
func ValidateNoAppArmorRegexp ¶
ValidateNoAppArmorRegexp will check that the given string does not contain AppArmor regular expressions (AARE), double quotes or \0. Note that to check the inverse of this, that is that a string has valid AARE, one should use interfaces/utils.NewPathPattern().
Types ¶
type AaParserFlags ¶
type AaParserFlags int
const ( // SkipReadCache causes apparmor_parser to be invoked with --skip-read-cache. // This allows us to essentially overwrite a cache that we know is stale regardless // of the time and date settings (apparmor_parser caching is based on mtime). // Note that writing of the cache relies on --write-cache but we pass that // command-line option unconditionally. SkipReadCache AaParserFlags = 1 << iota // ConserveCPU tells apparmor_parser to spare up to two CPUs on multi-core systems to // reduce load when processing many profiles at once. ConserveCPU AaParserFlags = 1 << iota // SkipKernelLoad tells apparmor_parser not to load profiles into the kernel. The use // case of this is when in pre-seeding mode. SkipKernelLoad AaParserFlags = 1 << iota )
type LevelType ¶
type LevelType int
LevelType encodes the kind of support for apparmor found on this system.
const ( // Unknown indicates that apparmor was not probed yet. Unknown LevelType = iota // Unsupported indicates that apparmor is not enabled. Unsupported // Unusable indicates that apparmor is enabled but cannot be used. Unusable // Partial indicates that apparmor is enabled but some // features are missing. Partial // Full indicates that all features are supported. Full )
func ProbedLevel ¶
func ProbedLevel() LevelType
ProbedLevel quantifies how well apparmor is supported on the current kernel. The computation is costly to perform. The result is cached internally.
Source Files