From a31820bac907e06ddf6d2b27222c731484bbb5c9 Mon Sep 17 00:00:00 2001 From: Freddie Date: Sun, 19 Feb 2023 13:53:47 +0530 Subject: [PATCH 1/6] rebased --- pkg/security/apparmor/validate.go | 48 +------------------------- pkg/security/apparmor/validate_test.go | 23 +----------- 2 files changed, 2 insertions(+), 69 deletions(-) diff --git a/pkg/security/apparmor/validate.go b/pkg/security/apparmor/validate.go index cbcd9c49f2c..8b20c710b71 100644 --- a/pkg/security/apparmor/validate.go +++ b/pkg/security/apparmor/validate.go @@ -17,11 +17,8 @@ limitations under the License. package apparmor import ( - "bufio" "errors" "fmt" - "os" - "path" "strings" "github.com/opencontainers/runc/libcontainer/apparmor" @@ -30,7 +27,6 @@ import ( podutil "k8s.io/kubernetes/pkg/api/v1/pod" "k8s.io/kubernetes/pkg/apis/core/validation" "k8s.io/kubernetes/pkg/features" - utilpath "k8s.io/utils/path" ) // Whether AppArmor should be disabled by default. @@ -48,20 +44,11 @@ func NewValidator() Validator { if err := validateHost(); err != nil { return &validator{validateHostErr: err} } - appArmorFS, err := getAppArmorFS() - if err != nil { - return &validator{ - validateHostErr: fmt.Errorf("error finding AppArmor FS: %v", err), - } - } - return &validator{ - appArmorFS: appArmorFS, - } + return nil } type validator struct { validateHostErr error - appArmorFS string } func (v *validator) Validate(pod *v1.Pod) error { @@ -117,36 +104,3 @@ func validateHost() error { return nil } - -func getAppArmorFS() (string, error) { - mountsFile, err := os.Open("/proc/mounts") - if err != nil { - return "", fmt.Errorf("could not open /proc/mounts: %v", err) - } - defer mountsFile.Close() - - scanner := bufio.NewScanner(mountsFile) - for scanner.Scan() { - fields := strings.Fields(scanner.Text()) - if len(fields) < 3 { - // Unknown line format; skip it. - continue - } - if fields[2] == "securityfs" { - appArmorFS := path.Join(fields[1], "apparmor") - if ok, err := utilpath.Exists(utilpath.CheckFollowSymlink, appArmorFS); !ok { - msg := fmt.Sprintf("path %s does not exist", appArmorFS) - if err != nil { - return "", fmt.Errorf("%s: %v", msg, err) - } - return "", errors.New(msg) - } - return appArmorFS, nil - } - } - if err := scanner.Err(); err != nil { - return "", fmt.Errorf("error scanning mounts: %v", err) - } - - return "", errors.New("securityfs not found") -} diff --git a/pkg/security/apparmor/validate_test.go b/pkg/security/apparmor/validate_test.go index 2c2d4e14ff9..1c59e6a59f2 100644 --- a/pkg/security/apparmor/validate_test.go +++ b/pkg/security/apparmor/validate_test.go @@ -27,25 +27,6 @@ import ( "github.com/stretchr/testify/assert" ) -func TestGetAppArmorFS(t *testing.T) { - // This test only passes on systems running AppArmor with the default configuration. - // The test should be manually run if modifying the getAppArmorFS function. - t.Skip() - - const expectedPath = "/sys/kernel/security/apparmor" - actualPath, err := getAppArmorFS() - assert.NoError(t, err) - assert.Equal(t, expectedPath, actualPath) -} - -func TestValidateHost(t *testing.T) { - // This test only passes on systems running AppArmor with the default configuration. - // The test should be manually run if modifying the getAppArmorFS function. - t.Skip() - - assert.NoError(t, validateHost()) -} - func TestValidateBadHost(t *testing.T) { hostErr := errors.New("expected host error") v := &validator{ @@ -72,9 +53,7 @@ func TestValidateBadHost(t *testing.T) { } func TestValidateValidHost(t *testing.T) { - v := &validator{ - appArmorFS: "./testdata/", - } + v := &validator{} tests := []struct { profile string From 7db787e97ce85c46fa96b8707878de92ea96f5e1 Mon Sep 17 00:00:00 2001 From: Freddie Date: Sun, 19 Feb 2023 21:08:06 +0530 Subject: [PATCH 2/6] removed Validator.Validate Interface --- pkg/security/apparmor/validate.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/security/apparmor/validate.go b/pkg/security/apparmor/validate.go index 8b20c710b71..98ada0bd771 100644 --- a/pkg/security/apparmor/validate.go +++ b/pkg/security/apparmor/validate.go @@ -36,7 +36,6 @@ var isDisabledBuild bool // Validator is a interface for validating that a pod with an AppArmor profile can be run by a Node. type Validator interface { Validate(pod *v1.Pod) error - ValidateHost() error } // NewValidator is in order to find AppArmor FS From 10193062f0d8fb3337645523f1f1de268c90e508 Mon Sep 17 00:00:00 2001 From: Freddie Date: Sun, 19 Feb 2023 21:26:43 +0530 Subject: [PATCH 3/6] undone last changes --- pkg/security/apparmor/validate.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/security/apparmor/validate.go b/pkg/security/apparmor/validate.go index 98ada0bd771..8b20c710b71 100644 --- a/pkg/security/apparmor/validate.go +++ b/pkg/security/apparmor/validate.go @@ -36,6 +36,7 @@ var isDisabledBuild bool // Validator is a interface for validating that a pod with an AppArmor profile can be run by a Node. type Validator interface { Validate(pod *v1.Pod) error + ValidateHost() error } // NewValidator is in order to find AppArmor FS From 02e6092087e5da5b490c4425e7475179d9d21ed5 Mon Sep 17 00:00:00 2001 From: Freddie Date: Tue, 21 Feb 2023 11:24:39 +0530 Subject: [PATCH 4/6] made error nil --- pkg/security/apparmor/validate.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/security/apparmor/validate.go b/pkg/security/apparmor/validate.go index 8b20c710b71..e3bd882ead9 100644 --- a/pkg/security/apparmor/validate.go +++ b/pkg/security/apparmor/validate.go @@ -42,7 +42,7 @@ type Validator interface { // NewValidator is in order to find AppArmor FS func NewValidator() Validator { if err := validateHost(); err != nil { - return &validator{validateHostErr: err} + return nil } return nil } From e33a4d656f5de62b47776957c05143b4b899b2be Mon Sep 17 00:00:00 2001 From: Freddie Date: Tue, 21 Feb 2023 11:43:51 +0530 Subject: [PATCH 5/6] changes in NewValidator --- pkg/security/apparmor/validate.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/security/apparmor/validate.go b/pkg/security/apparmor/validate.go index e3bd882ead9..f0ec779218e 100644 --- a/pkg/security/apparmor/validate.go +++ b/pkg/security/apparmor/validate.go @@ -44,7 +44,7 @@ func NewValidator() Validator { if err := validateHost(); err != nil { return nil } - return nil + return &validator{} } type validator struct { From 3db6cc5b8bce55cd65c36524c0301b9f86ea8611 Mon Sep 17 00:00:00 2001 From: Freddie Date: Tue, 21 Feb 2023 13:02:30 +0530 Subject: [PATCH 6/6] changes in NewValidator --- pkg/security/apparmor/validate.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/security/apparmor/validate.go b/pkg/security/apparmor/validate.go index f0ec779218e..35d9a337f09 100644 --- a/pkg/security/apparmor/validate.go +++ b/pkg/security/apparmor/validate.go @@ -42,7 +42,7 @@ type Validator interface { // NewValidator is in order to find AppArmor FS func NewValidator() Validator { if err := validateHost(); err != nil { - return nil + return &validator{validateHostErr: err} } return &validator{} }