test:cri: Add guest AppArmor support

Add a test case which check whether AppArmor inside the guest
works properly using containerd.

The test creates a container configured to apply the `kata-default`
profile, then it checks the container process is running with the
profile enforced.

Fixes: #5748
Depends-on: github.com/kata-containers/kata-containers#7587

Signed-off-by: Manabu Sugimoto <[email protected]>

Author: ManaSugi

Diff for: .ci/install_kata_image.sh

@@ -16,6 +16,9 @@ source "${cidir}/lib.sh"
 main() {
 	build_static_artifact_and_install "rootfs-image"
 	build_static_artifact_and_install "rootfs-initrd"
+
+	# Build and install an image for the guest AppArmor
+	build_install_apparmor_image
 }
 
 main

Diff for: .ci/lib.sh

@@ -17,6 +17,7 @@ fi
 export KATA_KSM_THROTTLER=${KATA_KSM_THROTTLER:-no}
 export KATA_QEMU_DESTDIR=${KATA_QEMU_DESTDIR:-"/usr"}
 export KATA_ETC_CONFIG_PATH="/etc/kata-containers/configuration.toml"
+export KATA_APPARMOR_IMAGE="/opt/kata/share/kata-containers/kata-containers-apparmor.img"
 
 export katacontainers_repo=${katacontainers_repo:="github.com/kata-containers/kata-containers"}
 export katacontainers_repo_git="https://${katacontainers_repo}.git"
@@ -180,6 +181,24 @@ function build_static_artifact_and_install() {
 	popd >/dev/null
 }
 
+build_install_apparmor_image() {
+	USE_DOCKER=${USE_DOCKER:-"true"}
+
+	info "Build AppArmor guest image"
+	local rootfs_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder"
+	local rootfs_dir="${rootfs_builder_dir}/rootfs-apparmor"
+	pushd "$rootfs_builder_dir" >/dev/null
+	sudo -E AGENT_INIT=no APPARMOR=yes USE_DOCKER="${USE_DOCKER}" ./rootfs.sh -r "${rootfs_dir}" ubuntu
+	popd >/dev/null
+
+	info "Install AppArmor guest image"
+	local image_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/image-builder"
+	pushd "${image_builder_dir}" >/dev/null
+	sudo -E AGENT_INIT=no USE_DOCKER="${USE_DOCKER}" ./image_builder.sh "${rootfs_dir}"
+	popd >/dev/null
+	sudo install -o root -g root -m 0640 -D "${image_builder_dir}/kata-containers.img" "${KATA_APPARMOR_IMAGE}"
+}
+
 function get_dep_from_yaml_db(){
 	local versions_file="$1"
 	local dependency="$2"

Diff for: integration/containerd/cri/integration-tests.sh

@@ -18,6 +18,8 @@ source "${SCRIPT_PATH}/../../../.ci/lib.sh"
 # runc is installed in /usr/local/sbin/ add that path
 export PATH="$PATH:/usr/local/sbin"
 
+TEST_INITRD="${TEST_INITRD:-no}"
+
 containerd_tarball_version=$(get_version "externals.containerd.version")
 
 # Runtime to be used for testing
@@ -97,7 +99,7 @@ ci_cleanup() {
 	fi
 
 	[ -f "$kata_config_backup" ] && sudo mv "$kata_config_backup" "$kata_config" || \
-		sudo rm "$kata_config"
+		sudo rm "$kata_config" || true
 }
 
 create_containerd_config() {
@@ -431,6 +433,75 @@ EOF
 	create_containerd_config "${containerd_runtime_test}"
 }
 
+TestContainerGuestApparmor() {
+    info "Test container guest AppArmor"
+
+    # The ppc64le job uses the initrd image, so the test will be skipped.
+    if [[ "${TEST_INITRD}" == "yes" ]]; then
+        info "Skip the test because the guest AppArmor doesn't work with the agent init"
+        return
+    fi
+    if [ ! -e "${KATA_APPARMOR_IMAGE}" ]; then
+        info "Skip the test becasue the guest AppArmor image doesn't exist"
+        return
+    fi
+
+    # Set the guest AppArmor rootfs image because the guest AppArmor doesn't work with the agent init.
+    sudo sed -i "/^image =/c image = "\"${KATA_APPARMOR_IMAGE}\""" "${kata_config}"
+    # Enable the guest AppArmor.
+    sudo sed -i '/^disable_guest_apparmor/ s/true/false/g' "${kata_config}"
+    sudo sed -i 's/^#\(debug_console_enabled\).*=.*$/\1 = true/g' "${kata_config}"
+
+    local container_yaml="${REPORT_DIR}/container.yaml"
+    local image="busybox:latest"
+    cat << EOF > "${container_yaml}"
+metadata:
+  name: busybox-apparmor
+image:
+  image: "$image"
+command:
+- top
+EOF
+
+    info "Check the AppArmor profile is applied to the container executed by crictl start"
+    testContainerStart 1
+    aa_status=$(expect -c "
+    spawn -noecho kata-runtime exec $podid
+    expect "root@localhost:/#"
+    send \"aa-status\n\"
+    expect "root@localhost:/#"
+    send \"exit\n\"
+    expect eof
+    ")
+    echo "aa-status results:"
+    echo "${aa_status}"
+    ret=$(echo "$aa_status" | grep "/bin/top.*kata-default" || true)
+    [ -n "$ret" ] || die "not found /bin/top kata-default profile"
+
+    info "Check the AppArmor profile is applied to the process executed by crictl exec"
+    sudo -E crictl exec $cid sleep 10 &
+    # sleep for 1s to make sure the exec process started.
+    sleep 1
+    aa_status=$(expect -c "
+    spawn -noecho kata-runtime exec $podid
+    expect "root@localhost:/#"
+    send \"aa-status\n\"
+    expect "root@localhost:/#"
+    send \"exit\n\"
+    expect eof
+    ")
+    echo "aa-status results:"
+    echo "${aa_status}"
+    ret=$(echo "$aa_status" | grep "/bin/sleep.*kata-default" || true)
+    [ -n "$ret" ] || die "not found /bin/sleep kata-default profile"
+
+    testContainerStop
+
+    # Reset the Kata configuration file.
+    sudo rm "${kata_config}"
+    ci_config
+}
+
 # k8s may restart docker which will impact on containerd stop
 stop_containerd() {
 	local tmp=$(pgrep kubelet || true)
@@ -509,6 +580,8 @@ main() {
 		TestContainerMemoryUpdate 0
 	fi
 
+	TestContainerGuestApparmor
+
 	TestKilledVmmCleanup
 
 	popd