move up to latest critools; add apparmor profile check

Signed-off-by: Mike Brown <brownwm@us.ibm.com>

hack/utils.sh

@@ -17,7 +17,7 @@
 ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/..
 
 # Not from vendor.conf.
-CRITOOL_VERSION=v1.16.1
+CRITOOL_VERSION=v1.18.0
 CRITOOL_PKG=github.com/kubernetes-sigs/cri-tools
 CRITOOL_REPO=github.com/kubernetes-sigs/cri-tools
 

pkg/server/container_create_unix.go

@@ -19,6 +19,9 @@
 package server
 
 import (
+	"bufio"
+	"io"
+	"os"
 	"strconv"
 	"strings"
 
@@ -353,7 +356,41 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 		if !strings.HasPrefix(apparmorProf, profileNamePrefix) {
 			return nil, errors.Errorf("invalid apparmor profile %q", apparmorProf)
 		}
-		return apparmor.WithProfile(strings.TrimPrefix(apparmorProf, profileNamePrefix)), nil
+		appArmorProfile := strings.TrimPrefix(apparmorProf, profileNamePrefix)
+		if profileExists, err := appArmorProfileExists(appArmorProfile); !profileExists {
+			if err != nil {
+				return nil, errors.Wrap(err, "failed to generate apparmor spec opts")
+			}
+			return nil, errors.Errorf("apparmor profile not found %s", appArmorProfile)
+		}
+		return apparmor.WithProfile(appArmorProfile), nil
+	}
+}
+
+// appArmorProfileExists scans apparmor/profiles for the requested profile
+func appArmorProfileExists(profile string) (bool, error) {
+	if profile == "" {
+		return false, errors.New("nil apparmor profile is not supported")
+	}
+	profiles, err := os.Open("/sys/kernel/security/apparmor/profiles")
+	if err != nil {
+		return false, err
+	}
+	defer profiles.Close()
+
+	rbuff := bufio.NewReader(profiles)
+	for {
+		line, err := rbuff.ReadString('\n')
+		switch err {
+		case nil:
+			if strings.HasPrefix(line, profile+" (") {
+				return true, nil
+			}
+		case io.EOF:
+			return false, nil
+		default:
+			return false, err
+		}
 	}
 }
 

pkg/server/container_create_unix_test.go

@@ -882,14 +882,15 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
 			profile:    runtimeDefault,
 			privileged: true,
 		},
-		"should set specified profile when local profile is specified": {
-			profile:  profileNamePrefix + "test-profile",
-			specOpts: apparmor.WithProfile("test-profile"),
+		// TODO (mikebrow) add success with exising defined profile tests
+		"should return error when undefined local profile is specified": {
+			profile:   profileNamePrefix + "test-profile",
+			expectErr: true,
 		},
-		"should set apparmor when local profile is specified and privileged is true": {
+		"should return error when undefined local profile is specified and privileged is true": {
 			profile:    profileNamePrefix + "test-profile",
 			privileged: true,
-			specOpts:   apparmor.WithProfile("test-profile"),
+			expectErr:  true,
 		},
 		"should return error if specified profile is invalid": {
 			profile:   "test-profile",