Skip to content

Commit 550b0b6

Browse files
stefanbergerstefanberger
committed
apparmor: Implement ApplyProfileTid()
We need to implement ApplyProfileTid() to apply a profile via /proc/<tid>/attr/exec rather than /proc/self/attr/exec otherwise we get (~50%) failures trying to write the profile to /proc/self/attr/exec when trying to apply a profile to swtpm. When using the tid in the proc file path we get 100% success. Signed-off-by: Stefan Berger <[email protected]>
1 parent 6aec847 commit 550b0b6

File tree

1 file changed

+21
-5
lines changed

1 file changed

+21
-5
lines changed

libcontainer/apparmor/apparmor.go

Lines changed: 21 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"fmt"
77
"io/ioutil"
88
"os"
9+
"syscall"
910

1011
"github.com/opencontainers/runc/libcontainer/utils"
1112
)
@@ -21,10 +22,15 @@ func IsEnabled() bool {
2122
return false
2223
}
2324

24-
func setProcAttr(attr, value string) error {
25+
func setProcAttr(attr, value string, useTid bool) error {
2526
// Under AppArmor you can only change your own attr, so use /proc/self/
2627
// instead of /proc/<tid>/ like libapparmor does
27-
path := fmt.Sprintf("/proc/self/attr/%s", attr)
28+
var path string
29+
if useTid {
30+
path = fmt.Sprintf("/proc/%d/attr/%s",syscall.Gettid(), attr)
31+
} else {
32+
path = fmt.Sprintf("/proc/self/attr/%s", attr)
33+
}
2834

2935
f, err := os.OpenFile(path, os.O_WRONLY, 0)
3036
if err != nil {
@@ -41,20 +47,30 @@ func setProcAttr(attr, value string) error {
4147
}
4248

4349
// changeOnExec reimplements aa_change_onexec from libapparmor in Go
44-
func changeOnExec(name string) error {
50+
func changeOnExec(name string, useTid bool) error {
4551
value := "exec " + name
46-
if err := setProcAttr("exec", value); err != nil {
52+
if err := setProcAttr("exec", value, useTid); err != nil {
4753
return fmt.Errorf("apparmor failed to apply profile: %s", err)
4854
}
4955
return nil
5056
}
5157

58+
// ApplyProfileTid will apply the profile with the specified name to the process
59+
// after the next exec. It will use the thread id of the process to apply
60+
// the profile
61+
func ApplyProfileTid(name string) error {
62+
if name == "" {
63+
return nil
64+
}
65+
return changeOnExec(name, true)
66+
}
67+
5268
// ApplyProfile will apply the profile with the specified name to the process after
5369
// the next exec.
5470
func ApplyProfile(name string) error {
5571
if name == "" {
5672
return nil
5773
}
5874

59-
return changeOnExec(name)
75+
return changeOnExec(name, false)
6076
}

0 commit comments

Comments
 (0)