use binaries: apparmor/apparmor-profile to get the name for the apparmor profile to use

2026-03-13 11:15:47 -07:00 · 2015-03-05 11:54:35 +01:00
parent baf316597a
commit 6f9ce577ec
3 changed files with 23 additions and 14 deletions
--- a/snappy/click.go
+++ b/snappy/click.go
@@ -368,20 +368,18 @@ aa-exec -p {{.AaProfile}} -- {{.Target}} "$@"
 }

 func getAaProfile(m *packageYaml, binary Binary) string {
+	// check if there is a specific apparmor profile
+	if binary.ApparmorProfile != "" {
+		return binary.ApparmorProfile
+	}
+	// ... or apparmor.json
+	if binary.Apparmor != "" {
+		return binary.Apparmor
+	}
+
 	// FIXME: we need to generate a default aa profile here instead
-	// once we have click-apparmor in snappy itself
-	clickhookPath := fmt.Sprintf("/var/lib/apparmor/clicks/%s_%s_%s.json", m.Name, filepath.Dir(binary.Name), m.Version)
-	if helpers.FileExists(clickhookPath) {
-		return clickhookPath
-	}
-
-	customProfilePath := fmt.Sprintf("/var/lib/apparmor/profiles/profile_%s_%s_%s", m.Name, filepath.Dir(binary.Name), m.Version)
-
-	if helpers.FileExists(customProfilePath) {
-		return customProfilePath
-	}
-
-	return "unconfined"
+	// of relying on a default one shipped by the package
+	return fmt.Sprintf("%s_%s_%s", m.Name, filepath.Base(binary.Name), m.Version)
 }

 func addPackageYamlBinaries(baseDir string) error {
--- a/snappy/click_test.go
+++ b/snappy/click_test.go
@@ -389,3 +389,12 @@ binaries:
 	c.Assert(helpers.FileExists(binaryWrapper), Equals, false)
 	c.Assert(helpers.FileExists(snapDir), Equals, false)
 }
+
+func (s *SnapTestSuite) TestSnappyGetAaProfile(c *C) {
+	m := packageYaml{Name: "foo",
+		Version: "1.0"}
+
+	c.Assert(getAaProfile(&m, Binary{Name: "bin/app"}), Equals, "foo_app_1.0")
+	c.Assert(getAaProfile(&m, Binary{Name: "bin/app", Apparmor: "some-security-json"}), Equals, "some-security-json")
+	c.Assert(getAaProfile(&m, Binary{Name: "bin/app", ApparmorProfile: "some-profile"}), Equals, "some-profile")
+}
--- a/snappy/snapp.go
+++ b/snappy/snapp.go
@@ -38,7 +38,9 @@ type Service struct {

 // Binary represents a single binary inside the binaries: package.yaml
 type Binary struct {
-	Name string `yaml:"name"`
+	Name            string `yaml:"name"`
+	Apparmor        string `yaml:"apparmor"`
+	ApparmorProfile string `yaml:"apparmor-profile"`
 }

 // SnapPart represents a generic snap type