Skip to content

Commit 067f32e

Browse files
stefanbergerstefanberger
committed
apparmor: Implement ApplyProfileThread()
We need to implement ApplyProfileThread() to apply a profile via /proc/self-thread/attr/exec rather than /proc/self/attr/exec otherwise we get (~50%) failures trying to write the profile to /proc/self/attr/exec. When using self-thread we get 100% success. Signed-off-by: Stefan Berger <[email protected]>
1 parent 931af3f commit 067f32e

File tree

2 files changed

+26
-5
lines changed

2 files changed

+26
-5
lines changed

libcontainer/apparmor/apparmor.go

Lines changed: 19 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -21,10 +21,15 @@ func IsEnabled() bool {
2121
return false
2222
}
2323

24-
func setProcAttr(attr, value string) error {
24+
func setProcAttr(attr, value string, useThread bool) error {
2525
// Under AppArmor you can only change your own attr, so use /proc/self/
2626
// instead of /proc/<tid>/ like libapparmor does
27-
path := fmt.Sprintf("/proc/self/attr/%s", attr)
27+
var path string
28+
if useThread {
29+
path = fmt.Sprintf("/proc/thread-self/attr/%s", attr)
30+
} else {
31+
path = fmt.Sprintf("/proc/self/attr/%s", attr)
32+
}
2833

2934
f, err := os.OpenFile(path, os.O_WRONLY, 0)
3035
if err != nil {
@@ -41,20 +46,29 @@ func setProcAttr(attr, value string) error {
4146
}
4247

4348
// changeOnExec reimplements aa_change_onexec from libapparmor in Go
44-
func changeOnExec(name string) error {
49+
func changeOnExec(name string, useThread bool) error {
4550
value := "exec " + name
46-
if err := setProcAttr("exec", value); err != nil {
51+
if err := setProcAttr("exec", value, useThread); err != nil {
4752
return fmt.Errorf("apparmor failed to apply profile: %s", err)
4853
}
4954
return nil
5055
}
5156

57+
// ApplyProfileThread will apply the profile with the specified name to the process
58+
// after the next exec using /proc/self-thread rather than /proc/self
59+
func ApplyProfileThread(name string) error {
60+
if name == "" {
61+
return nil
62+
}
63+
return changeOnExec(name, true)
64+
}
65+
5266
// ApplyProfile will apply the profile with the specified name to the process after
5367
// the next exec.
5468
func ApplyProfile(name string) error {
5569
if name == "" {
5670
return nil
5771
}
5872

59-
return changeOnExec(name)
73+
return changeOnExec(name, false)
6074
}

libcontainer/apparmor/apparmor_disabled.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,13 @@ func IsEnabled() bool {
1212
return false
1313
}
1414

15+
func ApplyProfileThread(name string) error {
16+
if name != "" {
17+
return ErrApparmorNotEnabled
18+
}
19+
return nil
20+
}
21+
1522
func ApplyProfile(name string) error {
1623
if name != "" {
1724
return ErrApparmorNotEnabled

0 commit comments

Comments
 (0)