Merge pull request moby#47005 from thaJeztah/remove_pkg_aaparser

remove pkg/aaparser, and inline remaining functionality in profiles/apparmor
thaJeztah · Jan 2, 2024 · b7ba061 · b7ba061
2 parents dbe86d9 + 6fae583
commit b7ba061
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 194 deletions.
diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
diff --git a/pkg/aaparser/aaparser_test.go b/pkg/aaparser/aaparser_test.go
diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
@@ -4,13 +4,13 @@ package apparmor // import "github.com/docker/docker/profiles/apparmor"
 
 import (
 	"bufio"
+	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path"
 	"strings"
 	"text/template"
-
-	"github.com/docker/docker/pkg/aaparser"
 )
 
 // profileDirectory is the file store for apparmor profiles and macros.
@@ -94,7 +94,7 @@ func InstallDefault(name string) error {
 		return err
 	}
 
-	return aaparser.LoadProfile(profilePath)
+	return loadProfile(profilePath)
 }
 
 // IsLoaded checks if a profile with the given name has been loaded into the
@@ -122,3 +122,18 @@ func IsLoaded(name string) (bool, error) {
 
 	return false, nil
 }
+
+// loadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to
+// replace the profile. The `-K` is necessary to make sure that apparmor_parser
+// doesn't try to write to a read-only filesystem.
+func loadProfile(profilePath string) error {
+	c := exec.Command("apparmor_parser", "-Kr", profilePath)
+	c.Dir = ""
+
+	output, err := c.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err)
+	}
+
+	return nil
+}