Merge pull request #3 from pjbgf/isloaded

Improve reliability and refactor API
pjbgf · Oct 14, 2022 · 59b7f13 · 59b7f13
2 parents c501fcb + 3220087
commit 59b7f13
Show file tree

Hide file tree

Showing 24 changed files with 339 additions and 351 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -7,28 +7,24 @@ on:
 name: build
 jobs:
 
-  ubuntu:
-    runs-on: ubuntu-latest
+  tests:
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, macos-latest ]
+        include:
+          - os: ubuntu-latest
+            libapparmor: true
+    runs-on: ${{ matrix.os }}
+    continue-on-error: true
     steps:
     - uses: actions/checkout@v2
-    - name: Install libapparmor-dev
+    - if: ${{ matrix.libapparmor }}
+      name: Install libapparmor-dev
       run: sudo apt-get install -y libapparmor-dev
     - name: Build
-      run: |
-        make build
-    - name: Build Example Code
-      run: |
-        make example
-
-  macos:
-    runs-on: macos-latest
-    env:
-      BUILD_TAGS: "netgo"
-    steps:
-    - uses: actions/checkout@v2
-    - name: Build
-      run: |
-        make build
-    - name: Build Example Code
-      run: |
-        make example
+      run: make build
+    - name: Tests
+      run: make test
+    - if: ${{ matrix.libapparmor }}
+      name: E2E Tests
+      run: make e2e
diff --git a/.semgrepignore b/.semgrepignore
@@ -0,0 +1 @@
+Dockerfile
diff --git a/Dockerfile b/Dockerfile
@@ -1,16 +1,18 @@
-FROM golang:1.17-bullseye
+FROM golang:1.19-alpine
 
-RUN apt update && apt install -y apparmor-utils libapparmor-dev
+RUN apk add gcc build-base \
+    apparmor-utils libapparmor libapparmor-dev
 
 ADD . /work
-WORKDIR /work
-RUN make build
+WORKDIR /work/tests/e2e
 
+RUN go mod download
 
+RUN go build -tags apparmor \
+    -ldflags '-s -w -extldflags "-static"' \
+    -o /work/build/e2e main.go
 
-FROM gcr.io/distroless/static
-
-COPY --from=0 /sbin/apparmor_parser /sbin
-COPY --from=0 /work/build /app
-
-ENTRYPOINT [ "/app/go-apparmor" ]
+# E2E tests must be running as root, as it also verifies
+# hostop privileges.
+USER root
+ENTRYPOINT [ "/work/build/e2e" ]
diff --git a/Makefile b/Makefile
@@ -3,51 +3,34 @@ SHELL=/bin/bash
 GO ?= go
 GCC ?= gcc
 DOCKER ?= docker
-IMAGE_TAG ?= paulinhu/go-apparmor:1
 BUILD_TAGS ?= apparmor
 
+IMAGE_TAG = quay.io/paulinhu/go-apparmor/e2e:local
+
 CWD := $(realpath .)
 OUTDIR := $(CWD)/build
-PROFILE_PATH ?= $(CWD)/example/profiles/test-profile.aa
 
 LDFLAGS := -s -w -extldflags "-static"
 BINARY := go-apparmor
 GOSEC := gosec
 
-.PHONY: image
-image:
-	$(DOCKER) build -t $(IMAGE_TAG) .
 
 .PHONY: build
 build:
 	$(GO) build -tags $(BUILD_TAGS) ./...
 
-.PHONY: example
-example:
-	pushd example/code && \
-	$(GO) build -ldflags '$(LDFLAGS)' -o $(OUTDIR)/$(BINARY) ./main.go || \
-	popd
-
-.PHONY: run
-run: build
-	$(OUTDIR)/$(BINARY) $(PROFILE_PATH)
-
-.PHONY: run-container
-run-container: image
-	docker run --rm -it --privileged --pid host $(IMAGE_TAG) $(PROFILE_PATH)
-
-.PHONY: load-profile
-load-profile:
-	apparmor_parser -R $(PROFILE_PATH) | true
-	apparmor_parser -Kr $(PROFILE_PATH)
-	grep test-profile /sys/kernel/security/apparmor/profiles
-
 tidy:
 	$(GO) mod tidy
-	pushd example/code && \
+	pushd tests/e2e && \
 	$(GO) mod tidy || \
 	popd
 
-.PHONY: verify
-verify:
+verify: tidy
 	$(GOSEC) ./...
+
+test:
+	$(GO) test -tags $(BUILD_TAGS) ./...
+
+e2e:
+	$(DOCKER) build -t $(IMAGE_TAG) .
+	$(DOCKER) run --rm --privileged --pid host $(IMAGE_TAG)
diff --git a/README.md b/README.md
@@ -18,12 +18,14 @@ Permissions required:
 - Host's PID namespace
 - Host's Mount namespace
 - run as root
-- CAP_SYS_ADMIN
+- `CAP_SYS_ADMIN`
 - privileged (for containers)
 
+Running directly on the host machine as `root` is enough.
+
 ## Next steps
 
 - [] Implement Enforceable() and a func to check whether a profile is already loaded.
 - [] Split hostop package from this repo.
-- [] Refactor apparmor package.
-- [] Add some tests.
+- [x] Refactor apparmor package.
+- [x] Add some tests.
diff --git a/example/code/go.mod b/example/code/go.mod
diff --git a/example/code/main.go b/example/code/main.go
diff --git a/example/profiles/test-profile.aa b/example/profiles/test-profile.aa
diff --git a/go.mod b/go.mod
@@ -4,5 +4,5 @@ go 1.18
 
 require (
 	github.com/go-logr/logr v1.2.3
-	golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab
+	golang.org/x/sys v0.0.0-20221013171732-95e765b1cc43
 )
diff --git a/go.sum b/go.sum
@@ -1,4 +1,4 @@
 github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
 github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab h1:2QkjZIsXupsJbJIdSjjUOgWK3aEtzyuh2mPt3l/CkeU=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20221013171732-95e765b1cc43 h1:OK7RB6t2WQX54srQQYSXMW8dF5C6/8+oA/s5QBmmto4=
+golang.org/x/sys v0.0.0-20221013171732-95e765b1cc43/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
diff --git a/pkg/apparmor/apparmor.go b/pkg/apparmor/apparmor.go
@@ -1,27 +1,37 @@
 package apparmor
 
-import (
-	"github.com/go-logr/logr"
-)
-
 type aa interface {
-	// WithLogger sets a logger to be using whilst executing operations.
-	WithLogger(logger logr.Logger) aa
+	aaReader
+	aaWriter
+}
 
+type aaReader interface {
 	// Enabled checks whether AppArmor is enabled in the kernel.
+	//
+	// Requires direct read-only access to AppArmor's parameters/enabled file
+	// or be called with root privileges via hostop.mountHostOp.
 	Enabled() (bool, error)
 
 	// Enforceable checks whether AppArmor is installed, enabled and that
 	// policies are enforceable.
 	Enforceable() (bool, error)
 
-	// AppArmorFS returns the path where the AppArmor filesystem
-	// was mounted.
-	AppArmorFS() (string, error)
+	// PolicyLoaded checks whether a policy is loaded in the kernel.
+	//
+	// Requires direct read-only access to AppArmor's profiles file
+	// or be called with root privileges via hostop.mountHostOp.
+	PolicyLoaded(policyName string) (bool, error)
+}
 
-	// DeletePolicy removes an AppArmor policy from the kernel.
+type aaWriter interface {
+	// DeletePolicy unload the AppArmor policy from the kernel, then
+	// deletes the policy file.
+	//
+	// Must be called with root privileges.
 	DeletePolicy(policyName string) error
 
 	// LoadPolicy loads an AppArmor policy into the kernel.
+	//
+	// Must be called with root privileges.
 	LoadPolicy(fileName string) error
 }