libcontainer: remove dependency on libapparmor

libapparmor is integrated in libcontainer using cgo but is only used to call a single function: aa_change_onexec. It turns out this function is simple enough (writing a string to a file in /proc/<n>/attr/...) to be re-implemented locally in libcontainer in plain Go. This allows to drop the dependency on libapparmor and the corresponding cgo integration. Fixes #1674 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
opencontainers · Dec 15, 2017 · db093f6 · db093f6
1 parent bdee9ad
commit db093f6
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 13 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -23,7 +23,7 @@ env:
 before_install:
   - echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
   - sudo apt-get -qq update
-  - sudo apt-get install -y libapparmor-dev libseccomp-dev/trusty-backports
+  - sudo apt-get install -y libseccomp-dev/trusty-backports
   - go get -u github.com/golang/lint/golint
   - go get -u github.com/vbatts/git-validation
   - env | grep TRAVIS_

diff --git a/README.md b/README.md
@@ -56,7 +56,7 @@ make BUILDTAGS='seccomp apparmor'
 |-----------|------------------------------------|-------------|
 | seccomp   | Syscall filtering                  | libseccomp  |
 | selinux   | selinux process and mount labeling | <none>      |
-| apparmor  | apparmor profile support           | libapparmor |
+| apparmor  | apparmor profile support           | <none>      |
 | ambient   | ambient capability support         | kernel 4.3  |
 
 

diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go
@@ -2,15 +2,10 @@
 
 package apparmor
 
-// #cgo LDFLAGS: -lapparmor
-// #include <sys/apparmor.h>
-// #include <stdlib.h>
-import "C"
 import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"unsafe"
 )
 
 // IsEnabled returns true if apparmor is enabled for the host.
@@ -24,16 +19,36 @@ func IsEnabled() bool {
 	return false
 }
 
+func setprocattr(attr, value string) error {
+	// Under AppArmor you can only change your own attr, so use /proc/self/
+	// instead of /proc/<tid>/ like libapparmor does
+	path := fmt.Sprintf("/proc/self/attr/%s", attr)
+
+	f, err := os.OpenFile(path, os.O_WRONLY, 0)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	_, err = fmt.Fprintf(f, "%s", value)
+	return err
+}
+
+// changeOnExec reimplements aa_change_onexec from libapparmor in Go
+func changeOnExec(name string) error {
+	value := "exec " + name
+	if err := setprocattr("exec", value); err != nil {
+		return fmt.Errorf("apparmor failed to apply profile: %s", err)
+	}
+	return nil
+}
+
 // ApplyProfile will apply the profile with the specified name to the process after
 // the next exec.
 func ApplyProfile(name string) error {
 	if name == "" {
 		return nil
 	}
-	cName := C.CString(name)
-	defer C.free(unsafe.Pointer(cName))
-	if _, err := C.aa_change_onexec(cName); err != nil {
-		return fmt.Errorf("apparmor failed to apply profile: %s", err)
-	}
-	return nil
+
+	return changeOnExec(name)
 }