github.com/meulengracht/snapd@v0.0.0-20210719210640-8bde69bcc84e/sanity/apparmor_lxd.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2018 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package sanity 21 22 import ( 23 "fmt" 24 "os" 25 ) 26 27 func init() { 28 checks = append(checks, checkApparmorUsable) 29 } 30 31 var apparmorProfilesPath = "/sys/kernel/security/apparmor/profiles" 32 33 func checkApparmorUsable() error { 34 // Check that apparmor is actually usable. In some 35 // configurations of lxd, apparmor looks available when in 36 // reality it isn't. Eg, this can happen when a container runs 37 // unprivileged (eg, root in the container is non-root 38 // outside) and also unconfined (where lxd doesn't set up an 39 // apparmor policy namespace). We can therefore simply check 40 // if /sys/kernel/security/apparmor/profiles is readable (like 41 // aa-status does), and if it isn't, we know we can't manipulate 42 // policy. 43 f, err := os.Open(apparmorProfilesPath) 44 if os.IsPermission(err) { 45 return fmt.Errorf("apparmor detected but insufficient permissions to use it") 46 } 47 if f != nil { 48 f.Close() 49 } 50 return nil 51 }