Merge pull request #684 from q384566678/add-apparmorProfile-test

Add apparmor profile test
opencontainers · Mar 5, 2019 · 5ed6852 · 5ed6852
2 parents 5fb3883 + 2e8216d
commit 5ed6852
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/cmd/runtimetest/main.go b/cmd/runtimetest/main.go
@@ -1197,6 +1197,18 @@ func (c *complianceTester) validatePosixMounts(spec *rspec.Spec) error {
 	return mountErrs
 }
 
+func (c *complianceTester) validateApparmorProfile(spec *rspec.Spec) error {
+	if spec.Process == nil || spec.Process.ApparmorProfile == "" {
+		c.harness.Skip(1, "process.ApparmorProfile not set")
+		return nil
+	}
+	profilePath := filepath.Join(spec.Root.Path, "/etc/apparmor.d", spec.Process.ApparmorProfile)
+	_, err := os.Stat(profilePath)
+	c.harness.Ok(err != nil, "has expected apparmorProfile")
+
+	return nil
+}
+
 func (c *complianceTester) validateMountLabel(spec *rspec.Spec) error {
 	if spec.Linux == nil || spec.Linux.MountLabel == "" {
 		c.harness.Skip(1, "linux.mountlabel not set")
@@ -1279,6 +1291,7 @@ func run(context *cli.Context) error {
 		c.validateUIDMappings,
 		c.validateGIDMappings,
 		c.validateMountLabel,
+		c.validateApparmorProfile,
 	}
 
 	validations := defaultValidations

diff --git a/validation/linux_process_apparmor_profile/linux_process_apparmor_profile.go b/validation/linux_process_apparmor_profile/linux_process_apparmor_profile.go
@@ -0,0 +1,17 @@
+package main
+
+import (
+	"github.com/opencontainers/runtime-tools/validation/util"
+)
+
+func main() {
+	g, err := util.GetDefaultGenerator()
+	if err != nil {
+		util.Fatal(err)
+	}
+	g.SetProcessApparmorProfile("acme_secure_profile")
+	err = util.RuntimeInsideValidate(g, nil, nil)
+	if err != nil {
+		util.Fatal(err)
+	}
+}