Remove AppArmor loaded profile validation

In general it could be possible that init containers deploy security profiles. The existing AppArmor pre-validation would block the complete workload without this patch being applied. If we now schedule a workload which contains an unconfined init container, then we will skip the validation. The underlying container runtime will fail if the profile is not available after the execution of the init container. This synchronizes the overall behavior with seccomp. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2025-10-28 20:30:09 +00:00 · 2021-01-12 14:06:58 +01:00
parent fcee7a0105
commit 1f8c21166e
2 changed files with 4 additions and 89 deletions
--- a/pkg/security/apparmor/validate_test.go
+++ b/pkg/security/apparmor/validate_test.go
@@ -21,7 +21,7 @@ import (
 	"fmt"
 	"testing"

-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/stretchr/testify/assert"
@@ -47,16 +47,7 @@ func TestValidateHost(t *testing.T) {
 	assert.Error(t, validateHost("rkt"))
 }

-func TestValidateProfile(t *testing.T) {
-	loadedProfiles := map[string]bool{
-		"docker-default": true,
-		"foo-bar":        true,
-		"baz":            true,
-		"/usr/sbin/ntpd": true,
-		"/usr/lib/connman/scripts/dhclient-script":      true,
-		"/usr/lib/NetworkManager/nm-dhcp-client.action": true,
-		"/usr/bin/evince-previewer//sanitized_helper":   true,
-	}
+func TestValidateProfileFormat(t *testing.T) {
 	tests := []struct {
 		profile     string
 		expectValid bool
@@ -67,12 +58,10 @@ func TestValidateProfile(t *testing.T) {
 		{"baz", false}, // Missing local prefix.
 		{v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
 		{v1.AppArmorBetaProfileNamePrefix + "foo-bar", true},
-		{v1.AppArmorBetaProfileNamePrefix + "unloaded", false}, // Not loaded.
-		{v1.AppArmorBetaProfileNamePrefix + "", false},
 	}

 	for _, test := range tests {
-		err := validateProfile(test.profile, loadedProfiles)
+		err := ValidateProfileFormat(test.profile)
 		if test.expectValid {
 			assert.NoError(t, err, "Profile %s should be valid", test.profile)
 		} else {
@@ -121,8 +110,6 @@ func TestValidateValidHost(t *testing.T) {
 		{v1.AppArmorBetaProfileNamePrefix + "foo-container", true},
 		{v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
 		{"docker-default", false},
-		{v1.AppArmorBetaProfileNamePrefix + "foo", false},
-		{v1.AppArmorBetaProfileNamePrefix + "", false},
 	}

 	for _, test := range tests {
@@ -155,23 +142,6 @@ func TestValidateValidHost(t *testing.T) {
 		},
 	}
 	assert.NoError(t, v.Validate(pod), "Multi-container pod should validate")
-	for k, val := range pod.Annotations {
-		pod.Annotations[k] = val + "-bad"
-		assert.Error(t, v.Validate(pod), fmt.Sprintf("Multi-container pod with invalid profile %s:%s", k, pod.Annotations[k]))
-		pod.Annotations[k] = val // Restore.
-	}
-}
-
-func TestParseProfileName(t *testing.T) {
-	tests := []struct{ line, expected string }{
-		{"foo://bar/baz (kill)", "foo://bar/baz"},
-		{"foo-bar (enforce)", "foo-bar"},
-		{"/usr/foo/bar/baz (complain)", "/usr/foo/bar/baz"},
-	}
-	for _, test := range tests {
-		name := parseProfileName(test.line)
-		assert.Equal(t, test.expected, name, "Parsing %s", test.line)
-	}
 }

 func getPodWithProfile(profile string) *v1.Pod {