Merge pull request #1161 from stgraber/main

incusd/apparmor: Don't constantly query the version and cache

Author: hallyn

internal/server/apparmor/apparmor.go

@@ -21,7 +21,45 @@ const (
 	cmdParse  = "Q"
 )
 
+var aaCacheDir string
 var aaPath = internalUtil.VarPath("security", "apparmor")
+var aaVersion *version.DottedVersion
+
+func init() {
+	// Fill in aaVersion.
+	out, err := subprocess.RunCommand("apparmor_parser", "--version")
+	if err != nil {
+		return
+	}
+
+	fields := strings.Fields(strings.Split(out, "\n")[0])
+	parsedVersion, err := version.Parse(fields[len(fields)-1])
+	if err != nil {
+		return
+	}
+
+	aaVersion = parsedVersion
+
+	// Fill in aaCacheDir.
+	basePath := filepath.Join(aaPath, "cache")
+
+	// Multiple policy cache directories were only added in v2.13.
+	minVer, err := version.NewDottedVersion("2.13")
+	if err != nil {
+		return
+	}
+
+	if aaVersion.Compare(minVer) < 0 {
+		aaCacheDir = basePath
+	} else {
+		output, err := subprocess.RunCommand("apparmor_parser", "-L", basePath, "--print-cache-dir")
+		if err != nil {
+			return
+		}
+
+		aaCacheDir = strings.TrimSpace(output)
+	}
+}
 
 // runApparmor runs the relevant AppArmor command.
 func runApparmor(sysOS *sys.OS, command string, name string) error {
@@ -144,19 +182,18 @@ func deleteProfile(sysOS *sys.OS, fullName string, name string) error {
 		return nil
 	}
 
-	cacheDir, err := getCacheDir(sysOS)
-	if err != nil {
-		return err
+	if aaCacheDir == "" {
+		return fmt.Errorf("Couldn't identify AppArmor cache directory")
 	}
 
-	err = unloadProfile(sysOS, fullName, name)
+	err := unloadProfile(sysOS, fullName, name)
 	if err != nil {
 		return err
 	}
 
-	err = os.Remove(filepath.Join(cacheDir, name))
+	err = os.Remove(filepath.Join(aaCacheDir, name))
 	if err != nil && !os.IsNotExist(err) {
-		return fmt.Errorf("Failed to remove %s: %w", filepath.Join(cacheDir, name), err)
+		return fmt.Errorf("Failed to remove %s: %w", filepath.Join(aaCacheDir, name), err)
 	}
 
 	err = os.Remove(filepath.Join(aaPath, "profiles", name))
@@ -173,9 +210,8 @@ func parserSupports(sysOS *sys.OS, feature string) (bool, error) {
 		return false, nil
 	}
 
-	ver, err := getVersion(sysOS)
-	if err != nil {
-		return false, err
+	if aaVersion == nil {
+		return false, fmt.Errorf("Couldn't identify AppArmor version")
 	}
 
 	if feature == "unix" {
@@ -184,7 +220,7 @@ func parserSupports(sysOS *sys.OS, feature string) (bool, error) {
 			return false, err
 		}
 
-		return ver.Compare(minVer) >= 0, nil
+		return aaVersion.Compare(minVer) >= 0, nil
 	}
 
 	if feature == "nosymfollow" {
@@ -193,58 +229,12 @@ func parserSupports(sysOS *sys.OS, feature string) (bool, error) {
 			return false, err
 		}
 
-		return ver.Compare(minVer) >= 0, nil
+		return aaVersion.Compare(minVer) >= 0, nil
 	}
 
 	return false, nil
 }
 
-// getVersion reads and parses the AppArmor version.
-func getVersion(sysOS *sys.OS) (*version.DottedVersion, error) {
-	if !sysOS.AppArmorAvailable {
-		return version.NewDottedVersion("0.0")
-	}
-
-	out, err := subprocess.RunCommand("apparmor_parser", "--version")
-	if err != nil {
-		return nil, err
-	}
-
-	fields := strings.Fields(strings.Split(out, "\n")[0])
-	return version.Parse(fields[len(fields)-1])
-}
-
-// getCacheDir returns the applicable AppArmor cache directory.
-func getCacheDir(sysOS *sys.OS) (string, error) {
-	basePath := filepath.Join(aaPath, "cache")
-
-	if !sysOS.AppArmorAvailable {
-		return basePath, nil
-	}
-
-	ver, err := getVersion(sysOS)
-	if err != nil {
-		return "", err
-	}
-
-	// Multiple policy cache directories were only added in v2.13.
-	minVer, err := version.NewDottedVersion("2.13")
-	if err != nil {
-		return "", err
-	}
-
-	if ver.Compare(minVer) < 0 {
-		return basePath, nil
-	}
-
-	output, err := subprocess.RunCommand("apparmor_parser", "-L", basePath, "--print-cache-dir")
-	if err != nil {
-		return "", err
-	}
-
-	return strings.TrimSpace(output), nil
-}
-
 // profileName handles generating valid profile names.
 func profileName(prefix string, name string) string {
 	separators := 1