apparmor: do not save profile to /etc/apparmor.d

cyphar · cyphar · commit 2f7596aaef3a · 2016-09-13T16:25:16.000+10:00
Writing the profile to /etc/apparmor.d, while also manually loading it
into the kernel results in quite a bit of confusion. In addition, it
means that people using apparmor but have /etc mounted read-only cannot
use apparmor at all on a Docker host.

Fix this by writing the profile to a temporary directory and deleting it
after it's been inserted.

Signed-off-by: Aleksa Sarai &lt;asarai@suse.de&gt;
diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
@@ -23,10 +23,10 @@ func GetVersion() (int, error) {
 	return parseVersion(output)
 }
 
-// LoadProfile runs `apparmor_parser -r -W` on a specified apparmor profile to
-// replace and write it to disk.
+// LoadProfile runs `apparmor_parser -r` on a specified apparmor profile to
+// replace the profile.
 func LoadProfile(profilePath string) error {
-	_, err := cmd(filepath.Dir(profilePath), "-r", "-W", filepath.Base(profilePath))
+	_, err := cmd("-r", filepath.Dir(profilePath))
 	if err != nil {
 		return err
 	}
diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
@@ -5,6 +5,7 @@ package apparmor
 import (
 	"bufio"
 	"io"
+	"io/ioutil"
 	"os"
 	"path"
 	"strings"
@@ -16,8 +17,6 @@ import (
 var (
 	// profileDirectory is the file store for apparmor profiles and macros.
 	profileDirectory = "/etc/apparmor.d"
-	// defaultProfilePath is the default path for the apparmor profile to be saved.
-	defaultProfilePath = path.Join(profileDirectory, "docker")
 )
 
 // profileData holds information about the given profile for generation.
@@ -70,26 +69,26 @@ func macroExists(m string) bool {
 // InstallDefault generates a default profile and installs it in the
 // ProfileDirectory with `apparmor_parser`.
 func InstallDefault(name string) error {
-	// Make sure the path where they want to save the profile exists
-	if err := os.MkdirAll(profileDirectory, 0755); err != nil {
-		return err
-	}
-
 	p := profileData{
 		Name: name,
 	}
 
-	f, err := os.OpenFile(defaultProfilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	// Install to a temporary directory.
+	f, err := ioutil.TempFile("", name)
 	if err != nil {
 		return err
 	}
+	profilePath := f.Name()
+
+	defer f.Close()
+	defer os.Remove(profilePath)
+
 	if err := p.generateDefault(f); err != nil {
 		f.Close()
 		return err
 	}
-	f.Close()
 
-	if err := aaparser.LoadProfile(defaultProfilePath); err != nil {
+	if err := aaparser.LoadProfile(profilePath); err != nil {
 		return err
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -23,10 +23,10 @@ func GetVersion() (int, error) {`
`23`	`23`	`return parseVersion(output)`
`24`	`24`	`}`
`25`	`25`
`26`		-// LoadProfile runs `apparmor_parser -r -W` on a specified apparmor profile to
`27`		`-// replace and write it to disk.`
	`26`	+// LoadProfile runs `apparmor_parser -r` on a specified apparmor profile to
	`27`	`+// replace the profile.`
`28`	`28`	`func LoadProfile(profilePath string) error {`
`29`		`- _, err := cmd(filepath.Dir(profilePath), "-r", "-W", filepath.Base(profilePath))`
	`29`	`+ _, err := cmd("-r", filepath.Dir(profilePath))`
`30`	`30`	`if err != nil {`
`31`	`31`	`return err`
`32`	`32`	`}`