apparmorutil

package
v1.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 13, 2023 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package apparmorutil provides utilities for AppArmor

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CanApplyExistingProfile

func CanApplyExistingProfile() bool

CanApplyExistingProfile returns whether the current process can apply an existing AppArmor profile to processes.

CanApplyExistingProfile does NOT need root.

CanApplyExistingProfile checks /sys/module/apparmor/parameters/enabled ,but does NOT check /sys/kernel/security/apparmor , which might not be accessible from user namespaces (because securityfs cannot be mounted in a user namespace)

Related: https://gitlab.com/apparmor/apparmor/-/blob/v3.0.3/libraries/libapparmor/src/kernel.c#L311

func CanApplySpecificExistingProfile

func CanApplySpecificExistingProfile(profileName string) bool

CanApplySpecificExistingProfile attempts to run `aa-exec -p <NAME> -- true` to check whether the profile can be applied.

CanApplySpecificExistingProfile does NOT depend on /sys/kernel/security/apparmor/profiles , which might not be accessible from user namespaces (because securityfs cannot be mounted in a user namespace)

func CanLoadNewProfile

func CanLoadNewProfile() bool

CanLoadNewProfile returns whether the current process can load a new AppArmor profile.

CanLoadNewProfile needs root.

CanLoadNewProfile checks both /sys/module/apparmor/parameters/enabled and /sys/kernel/security.

Related: https://gitlab.com/apparmor/apparmor/-/blob/v3.0.3/libraries/libapparmor/src/kernel.c#L311

func Unload

func Unload(target string) error

Unload unloads a profile. Needs access to /sys/kernel/security/apparmor/.remove .

Types

type Profile

type Profile struct {
	Name string `json:"Name"`           // e.g., "nerdctl-default"
	Mode string `json:"Mode,omitempty"` // e.g., "enforce"
}

func Profiles

func Profiles() ([]Profile, error)

Profiles return profiles.

Profiles does not need the root but needs access to /sys/kernel/security/apparmor/policy/profiles, which might not be accessible from user namespaces (because securityfs cannot be mounted in a user namespace)

So, Profiles cannot be called from rootless child.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL