https://github.com/pjbgf/go-apparmor

go-apparmor provides a go-native API to manage AppArmor profiles.
https://github.com/pjbgf/go-apparmor

apparmor

Last synced: 6 months ago
JSON representation

go-apparmor provides a go-native API to manage AppArmor profiles.

• Host: GitHub
• URL: https://github.com/pjbgf/go-apparmor
• Owner: pjbgf
• License: mit
• Created: 2021-11-09T13:13:55.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2024-11-07T18:49:09.000Z (11 months ago)
• Last Synced: 2025-03-25T13:21:21.435Z (6 months ago)
• Topics: apparmor
• Language: Go
• Homepage:
• Size: 1.43 MB
• Stars: 3
• Watchers: 2
• Forks: 1
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# go-apparmor

Is an initial draft of how apparmor profiles could be managed in golang with a reduced attack surface.

It leverages `libapparmor` to effectively load profiles into the kernel, as well as deleting them too.

`libapparmor` currently does not provide the parsing of plain-text profiles, but rather requires them 

to be in binary format. The `apparmor_parser` (from `apparmor-utils`) is leveraged to make that

conversion, and this operation takes place at lower privilege mode.

## Security Context

When running inside a container, the library will automatically attempt to "privilege escalate" into

the host's mount namespace just for load/delete operations, and then revert back. However, it would

require `HostPID` and run as `privileged` from the get go.

Permissions required:

- Host's PID namespace

- Host's Mount namespace

- run as root

- `CAP_SYS_ADMIN`

- privileged (for containers)

Running directly on the host machine as `root` is enough.

## Next steps

- [] Implement Enforceable() and a func to check whether a profile is already loaded.

- [] Split hostop package from this repo.

- [x] Refactor apparmor package.

- [x] Add some tests.