Skip to content

Commit

Permalink
Refactor log injection
Browse files Browse the repository at this point in the history
  • Loading branch information
@pjbgf
pjbgf committed Nov 19, 2021
1 parent d7eeecc commit 0494151
Show file tree
Hide file tree
Showing 11 changed files with 55 additions and 31 deletions.
2 changes: 2 additions & 0 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,5 @@ FROM gcr.io/distroless/static

COPY --from=0 /sbin/apparmor_parser /sbin
COPY --from=0 /work/build /app

ENTRYPOINT [ "/app/go-apparmor" ]
27 changes: 18 additions & 9 deletions Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
SHELL=/bin/bash

GO ?= go
GCC ?= gcc
DOCKER ?= docker
IMAGE_TAG ?= paulinhu/go-apparmor:1
PROFILE_PATH ?= $(realpath ./example/profiles/test-profile.aa)

OUTDIR := build
CWD := $(realpath .)
OUTDIR := $(CWD)/build
PROFILE_PATH ?= $(CWD)/example/profiles/test-profile.aa

LDFLAGS := -s -w -extldflags "-static"
BINARY := go-apparmor
Expand All @@ -16,18 +19,24 @@ image:

.PHONY: build
build:
$(GO) build -ldflags '$(LDFLAGS)' -o $(OUTDIR)/$(BINARY) ./example/code/main.go
pushd example/code && \
$(GO) build -ldflags '$(LDFLAGS)' -o $(OUTDIR)/$(BINARY) ./main.go || \
popd

.PHONY: run
run: build
sudo $(OUTDIR)/$(BINARY) $(PROFILE_PATH)
$(OUTDIR)/$(BINARY) $(PROFILE_PATH)

run-container:
docker run --rm -it --privileged --pid host paulinhu/go-apparmor:1 /app/go-apparmor $(PROFILE_PATH)
.PHONY: run-container
run-container: image
docker run --rm -it --privileged --pid host $(IMAGE_TAG) $(PROFILE_PATH)

.PHONY: load-profile
load-profile:
sudo apparmor_parser -R $(PROFILE_PATH) | true
sudo apparmor_parser -Kr $(PROFILE_PATH)
sudo grep test-profile /sys/kernel/security/apparmor/profiles
apparmor_parser -R $(PROFILE_PATH) | true
apparmor_parser -Kr $(PROFILE_PATH)
grep test-profile /sys/kernel/security/apparmor/profiles

.PHONY: verify
verify:
$(GOSEC) ./...
4 changes: 3 additions & 1 deletion example/code/go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,12 @@ go 1.17

require (
github.com/bombsimon/logrusr/v2 v2.0.1
github.com/pjbgf/go-apparmor v0.0.3
github.com/pjbgf/go-apparmor v0.0.5
github.com/sirupsen/logrus v1.8.1
)

replace github.com/pjbgf/go-apparmor => ../..

require (
github.com/go-logr/logr v1.2.0 // indirect
golang.org/x/sys v0.0.0-20211107104306-e0b2ad06fe42 // indirect
Expand Down
3 changes: 1 addition & 2 deletions example/code/go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
github.com/go-logr/logr v1.0.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-logr/logr v1.2.0 h1:QK40JKJyMdUDz+h+xvCsru/bJhvG0UxvePV0ufL/AcE=
github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
Expand All @@ -12,8 +13,6 @@ github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/pjbgf/go-apparmor v0.0.3 h1:zAabKPyQJkGUm7gQN2VdI2U2zYfY5WIxC87+hreaDQw=
github.com/pjbgf/go-apparmor v0.0.3/go.mod h1:4Nanbc+WNK+153nbscOtNJnBrUYViAUXhprxt5wiY4c=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
Expand Down
Binary file added example/code/main
View file
Binary file not shown.
4 changes: 2 additions & 2 deletions example/code/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ func main() {
).WithCallDepth(0)

calls := func() error {
aa := apparmor.NewAppArmor(logger)
aa := apparmor.NewAppArmor().WithLogger(logger)

fmt.Println("Delete Policy...")
if err := aa.DeletePolicy(profileName); err != nil {
Expand All @@ -45,7 +45,7 @@ func main() {
return nil
}

mount := hostop.NewMountHostOp(logger)
mount := hostop.NewMountHostOp().WithLogger(logger)
if err := mount.Do(calls); err != nil {
fmt.Printf("ERROR: %v\n", err)
}
Expand Down
11 changes: 11 additions & 0 deletions pkg/apparmor/apparmor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,14 @@ import "github.com/go-logr/logr"
type AppArmor struct {
logger logr.Logger
}

func NewAppArmor() *AppArmor {
return &AppArmor{
logger: logr.Discard(),
}
}

func (a *AppArmor) WithLogger(logger logr.Logger) *AppArmor {
a.logger = logger
return a
}
6 changes: 0 additions & 6 deletions pkg/apparmor/apparmor_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@ import (
"path/filepath"
"sync"
"unsafe"

"github.com/go-logr/logr"
)

const (
Expand All @@ -30,10 +28,6 @@ var (
appArmorParserPath string
)

func NewAppArmor(logger logr.Logger) *AppArmor {
return &AppArmor{logger: logger}
}

// Enforceable checks whether AppArmor is installed, enabled and that
// policies are enforceable.
func (a *AppArmor) Enforceable() bool {
Expand Down
9 changes: 3 additions & 6 deletions pkg/hostop/container.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package hostop

import (
"bufio"
"fmt"
"os"
"strings"
)
Expand Down Expand Up @@ -55,17 +54,15 @@ func checkCgroup() bool {
return false
}

// hostPidNamespace checks whether the current process is using
// HostPidNamespace checks whether the current process is using
// host's PID namespace.
func (m *mountHostOp) hostPidNamespace() (bool, error) {
func HostPidNamespace() (bool, error) {
file, err := os.Open("/proc/1/sched")
if err != nil {
return false, err
}
defer func() {
if err := file.Close(); err != nil {
m.logger.V(1).Info(fmt.Sprintf("closing file: %s", err))
}
file.Close()
}()

scanner := bufio.NewScanner(file)
Expand Down
5 changes: 5 additions & 0 deletions pkg/hostop/hostop.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
// atomic host operations at a higher privilege.
package hostop

import logr "github.com/go-logr/logr"

type NsTypeName string

const (
Expand All @@ -11,4 +13,7 @@ const (
type HostOp interface {
// Do executes the action at a privileged context at the host.
Do(action func() error) error

// WithLogger sets the logger to be used for logging.
WithLogger(logr.Logger) HostOp
}
15 changes: 10 additions & 5 deletions pkg/hostop/mount.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,17 @@ type mountHostOp struct {
logger logr.Logger
}

func NewMountHostOp(log logr.Logger) HostOp {
func NewMountHostOp() HostOp {
return &mountHostOp{
logger: log,
logger: logr.Discard(),
}
}

func (m *mountHostOp) WithLogger(logger logr.Logger) HostOp {
m.logger = logger
return m
}

// Do executes an action ensuring that first thread will be within the host's
// mount namespace.
//
Expand All @@ -44,7 +49,7 @@ func (m *mountHostOp) Do(action func() error) error {
if InsideContainer() {
m.logger.V(2).Info("running inside container")

hostPidNs, err := m.hostPidNamespace()
hostPidNs, err := HostPidNamespace()
if err != nil {
return fmt.Errorf("identifying pid namespace: %w", err)
}
Expand Down Expand Up @@ -87,7 +92,7 @@ func (m *mountHostOp) containerDo(action func() error) error {

defer func() {
if err := m.switchToMountNs(origFd); err != nil {
m.logger.V(2).Error(err, "revert to original mount ns")
m.logger.V(2).Info(fmt.Sprintf("revert to original mount ns: %v", err))
} else {
// if can't switch back to original mount namespace,
// fail-safe by not making the thread with host mount
Expand Down Expand Up @@ -149,7 +154,7 @@ func (m *mountHostOp) logNsInfo(nsPath string) {

var s unix.Stat_t
if err := unix.Fstat(int(fd.Fd()), &s); err != nil {
m.logger.V(2).Error(err, "fstat")
m.logger.V(2).Info(fmt.Sprintf("fstat ns: %v", err))
return
}
m.logger.V(2).Info(fmt.Sprintf("dev-inode %d:%d ns path: %s", s.Dev, s.Ino, nsPath))
Expand Down

0 comments on commit 0494151

Please sign in to comment.