File: security.go

package info (click to toggle)
apptainer 1.4.5-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 12,780 kB
  • sloc: sh: 3,329; ansic: 1,706; awk: 414; python: 103; makefile: 54
file content (72 lines) | stat: -rw-r--r-- 2,498 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
 
// Copyright (c) Contributors to the Apptainer project, established as
//   Apptainer a Series of LF Projects LLC.
//   For website terms of use, trademark policy, privacy policy and other
//   project policies see https://lfprojects.org/policies
// Copyright (c) 2018-2025, Sylabs Inc. All rights reserved.
// This software is licensed under a 3-clause BSD license. Please consult the
// LICENSE.md file distributed with the sources of this project regarding your
// rights to use or distribute this software.

package security

import (
	"fmt"
	"strings"

	"github.com/apptainer/apptainer/internal/pkg/security/apparmor"
	"github.com/apptainer/apptainer/internal/pkg/security/seccomp"
	"github.com/apptainer/apptainer/internal/pkg/security/selinux"
	"github.com/apptainer/apptainer/pkg/sylog"
	"github.com/opencontainers/runtime-spec/specs-go"
)

// Configure applies security related configuration to current process
func Configure(config *specs.Spec) error {
	if config.Process != nil {
		if config.Process.SelinuxLabel != "" && config.Process.ApparmorProfile != "" {
			return fmt.Errorf("you can't specify both an apparmor profile and a selinux label")
		}
		if config.Process.SelinuxLabel != "" {
			if selinux.Enabled() {
				if err := selinux.SetExecLabel(config.Process.SelinuxLabel); err != nil {
					return err
				}
			} else {
				return fmt.Errorf("selinux requested, but is not enabled or supported on this system")
			}
		} else if config.Process.ApparmorProfile != "" {
			if apparmor.Enabled() {
				if err := apparmor.LoadProfile(config.Process.ApparmorProfile); err != nil {
					return err
				}
			} else {
				return fmt.Errorf("apparmor requested, but is not enabled or supported on this system")
			}
		}
	}
	if config.Linux != nil && config.Linux.Seccomp != nil {
		if seccomp.Enabled() {
			if err := seccomp.LoadSeccompConfig(config.Linux.Seccomp, config.Process.NoNewPrivileges, 1); err != nil {
				return err
			}
		} else {
			return fmt.Errorf("seccomp requested but not enabled, seccomp library is missing or too old")
		}
	}
	return nil
}

// GetParam iterates over security argument and returns parameters
// for the security feature
func GetParam(security []string, feature string) string {
	for _, param := range security {
		splitted := strings.SplitN(param, ":", 2)
		if splitted[0] == feature {
			if len(splitted) != 2 {
				sylog.Warningf("bad format for parameter %s (format is <security>:<arg>)", param)
			}
			return splitted[1]
		}
	}
	return ""
}