Skip to content

Remove check for apparmor_parser in apparmor.IsEnabled() #2554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AkihiroSuda merged 1 commit into from
Aug 21, 2020
Merged

Remove check for apparmor_parser in apparmor.IsEnabled() #2554

AkihiroSuda merged 1 commit into from
Aug 21, 2020

Conversation

@saschagrunert
Copy link
Contributor

@saschagrunert saschagrunert commented Aug 16, 2020
edited
Loading

Not all distributions ship the apparmor_parser in /sbin/ (like NixOS). To be able to use the AppArmor feature on such distributions as well we have to check for the apparmor_parser in the $PATH environment variable.

New approach: The apparmor_parser binary is not really required for a system to run AppArmor from a runc perspective. How to apply the profile is more in the responsibility of higher level runtimes like Podman and Docker, which may do the binary check on their own

Possible release note:

- Removed the check for the `/sbin/apparmor_parser` binary when checking for `apparmor.IsEnabled()`.
  Every runtime which relies on the existence on the binary should now take action and verify that on
  its own. The binary can be present in `/sbin` as well as in `$PATH` on some distributions.

AkihiroSuda
AkihiroSuda previously approved these changes Aug 16, 2020
View reviewed changes
@AkihiroSuda AkihiroSuda dismissed their stale review August 16, 2020 19:15

OTOH Not all distro have /sbin in the $PATH, so we should test both /sbin and $PATH

@AkihiroSuda AkihiroSuda added this to the 1.0.0 milestone Aug 16, 2020
@saschagrunert saschagrunert force-pushed the apparmor-parser branch 2 times, most recently from 7d0de63 to ae891b5 Compare August 16, 2020 19:49
@saschagrunert
Copy link
Contributor Author

saschagrunert commented Aug 16, 2020
edited
Loading

@AkihiroSuda you dismissed the review comment, I still added the check for /sbin. Do you have any concerns about this?

AkihiroSuda
AkihiroSuda previously approved these changes Aug 16, 2020
View reviewed changes
@saschagrunert
Copy link
Contributor Author

saschagrunert commented Aug 16, 2020

@mrunalp @cyphar please take a look, too :)

@dims
Copy link
Contributor

dims commented Aug 16, 2020

LGTM 👍

cyphar
cyphar reviewed Aug 17, 2020
View reviewed changes
kolyshkin
kolyshkin reviewed Aug 17, 2020
View reviewed changes
cyphar
cyphar reviewed Aug 17, 2020
View reviewed changes
@saschagrunert
Copy link
Contributor Author

saschagrunert commented Aug 17, 2020
edited
Loading

I proposed to remove the check with respect to the discussions on #2554 (comment) and #2554 (comment).

The original commit where this check has been added is 44c7afa (cc @tifayuki)

@AkihiroSuda AkihiroSuda changed the title Allow searching for apparmor_parser in $PATH Remove check for apparmor_parser in apparmor.IsEnabled() Aug 17, 2020
AkihiroSuda
AkihiroSuda previously approved these changes Aug 17, 2020
View reviewed changes
kolyshkin
kolyshkin reviewed Aug 17, 2020
View reviewed changes
@kolyshkin
Copy link
Contributor

kolyshkin commented Aug 17, 2020

The original commit where this check has been added is 44c7afa (cc @tifayuki)

The code was actually in a different repository back then. Tracking it back to the original repo, this was done in docker-archive/libcontainer#532 which describes the reason for this (docker tries to exec this binary and fails).

More interestingly, this check was later removed (see docker-archive/libcontainer#645) but somehow the change was not propagated to runc.

So, yes, I agree, there's no need to check for the binary existence

mrunalp
mrunalp previously approved these changes Aug 17, 2020
View reviewed changes
cyphar
cyphar requested changes Aug 17, 2020
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also drop the container environment variable check.

@saschagrunert saschagrunert dismissed stale reviews from mrunalp and AkihiroSuda via 54d3986 August 18, 2020 06:59
@saschagrunert
Copy link
Contributor Author

saschagrunert commented Aug 18, 2020

We should also drop the container environment variable check.

Dropped that check as well 👍

cyphar
cyphar previously approved these changes Aug 18, 2020
View reviewed changes
@cyphar
Copy link
Member

cyphar commented Aug 18, 2020
edited
Loading

Now shellcheck is failing. You need to rebase on top of #2549 (or rather, master).

@saschagrunert
Copy link
Contributor Author

saschagrunert commented Aug 18, 2020

Now shellcheck is failing. You need to rebase on top of #2549 (or rather, master).

Rebased on top of the latest master branch ✔️

@saschagrunert
Copy link
Contributor Author

saschagrunert commented Aug 18, 2020

Looks like the master is broken, too. :)

kolyshkin
kolyshkin reviewed Aug 19, 2020
View reviewed changes
@kolyshkin
Copy link
Contributor

kolyshkin commented Aug 19, 2020

Looks like the master is broken, too. :)

Once #2561 is fixed you'll need to rebase this one; sorry for the trouble

@kolyshkin
Copy link
Contributor

kolyshkin commented Aug 20, 2020

Once #2561 is fixed you'll need to rebase this one; sorry for the trouble

@saschagrunert the fix is merged; please rebase

@saschagrunert
Remove check for apparmor_parser in apparmor.IsEnabled()
bfb4ea1 
The `apparmor_parser` binary is not really required for a system to run
AppArmor from a runc perspective. How to apply the profile is more in
the responsibility of higher level runtimes like Podman and Docker,
which may do the binary check on their own.

Signed-off-by: Sascha Grunert <[email protected]>
@saschagrunert
Copy link
Contributor Author

saschagrunert commented Aug 20, 2020

Once #2561 is fixed you'll need to rebase this one; sorry for the trouble

@saschagrunert the fix is merged; please rebase

Thanks for the hint, rebased on top of the latest master branch.

kolyshkin
kolyshkin approved these changes Aug 20, 2020
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dims
Copy link
Contributor

dims commented Aug 20, 2020

LGTM

@AkihiroSuda AkihiroSuda merged commit 19b63de into opencontainers:master Aug 21, 2020
@saschagrunert saschagrunert deleted the apparmor-parser branch August 21, 2020 21:08
@AkihiroSuda AkihiroSuda modified the milestones: 1.0.0, 1.0.0-rc93 Sep 29, 2020
@thaJeztah thaJeztah mentioned this pull request Nov 10, 2020
Merged
@thaJeztah
Copy link
Member

thaJeztah commented Nov 10, 2020
edited
Loading

@kolyshkin @AkihiroSuda regarding #2554 (comment)

Dusting off git history, the check for container env var comes from moby/moby#5534. And yes, container= was set at least by Docker's LXC driver.

I think it's obsoleted by now and should be removed.

Wondering if the env-var is still relevant when running containerised (docker-in-docker); The dind script still sets it;
https://github.com/docker/docker/blob/ed89041433a031cafc0a0f19cfe573c31688d377/hack/dind#L13-L14

(originally was added to address moby/moby#5529)

/cc @tianon PTAL

@saschagrunert saschagrunert mentioned this pull request Jan 12, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cyphar cyphar cyphar left review comments

@kolyshkin kolyshkin kolyshkin approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@mrunalp mrunalp mrunalp left review comments

Assignees

No one assigned

Labels

kind/bug

Projects

None yet

Milestone

1.0.0-rc93

Development

Successfully merging this pull request may close these issues.

7 participants

@saschagrunert @dims @kolyshkin @cyphar @thaJeztah @mrunalp @AkihiroSuda