github.com/Lephar/snapd@v0.0.0-20210825215435-c7fba9cef4d2/sandbox/apparmor/process.go

github.com/Lephar/snapd@v0.0.0-20210825215435-c7fba9cef4d2/sandbox/apparmor/process.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2020 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package apparmor
    21  
    22  import (
    23  	"fmt"
    24  	"io/ioutil"
    25  	"os"
    26  	"path/filepath"
    27  	"strings"
    28  
    29  	"github.com/snapcore/snapd/osutil"
    30  )
    31  
    32  func labelFromPid(pid int) (string, error) {
    33  	// first check new kernel path, /proc/<pid>/attr/apparmor/current, falling
    34  	// back to the old path if that doesn't exist
    35  	procFile := filepath.Join(rootPath, fmt.Sprintf("proc/%v/attr/apparmor/current", pid))
    36  	if !osutil.FileExists(procFile) {
    37  		// fallback
    38  		procFile = filepath.Join(rootPath, fmt.Sprintf("proc/%v/attr/current", pid))
    39  	}
    40  	contents, err := ioutil.ReadFile(procFile)
    41  	if os.IsNotExist(err) {
    42  		return "unconfined", nil
    43  	} else if err != nil {
    44  		return "", err
    45  	}
    46  	label := strings.TrimRight(string(contents), "\n")
    47  	// Trim off the mode
    48  	if strings.HasSuffix(label, ")") {
    49  		if pos := strings.LastIndex(label, " ("); pos != -1 {
    50  			label = label[:pos]
    51  		}
    52  	}
    53  	return label, nil
    54  }
    55  
    56  func DecodeLabel(label string) (snap, app, hook string, err error) {
    57  	parts := strings.Split(label, ".")
    58  	if parts[0] != "snap" {
    59  		return "", "", "", fmt.Errorf("security label %q does not belong to a snap", label)
    60  	}
    61  	if len(parts) == 3 {
    62  		return parts[1], parts[2], "", nil
    63  	}
    64  	if len(parts) == 4 && parts[2] == "hook" {
    65  		return parts[1], "", parts[3], nil
    66  	}
    67  	return "", "", "", fmt.Errorf("unknown snap related security label %q", label)
    68  }
    69  
    70  func SnapAppFromPid(pid int) (snap, app, hook string, err error) {
    71  	label, err := labelFromPid(pid)
    72  	if err != nil {
    73  		return "", "", "", err
    74  	}
    75  	return DecodeLabel(label)
    76  }