From c5044663e0ae0d5ebd07c50003a003cfbdb0a657 Mon Sep 17 00:00:00 2001
From: "Sphicas, Phil (ps3910)" <ps3910@att.com>
Date: Wed, 14 Aug 2019 17:48:16 -0700
Subject: [PATCH] Add apparmor profiles on genesis node in multinode gate

The bootactions which will be deployed via Drydock on nodes need
to be performed on Genesis node as well. This should be done as
part of pre-genesis setup before genesis.sh is executed.

This patchset allows apparmor profiles to be staged on the genesis
node in the same manner as seccomp profiles.

Change-Id: I418c955a131dc8e23ab5f4d900ae5ea4f7985468
Reference: https://review.opendev.org/644824
---
 .../airship_gate/lib/bootaction-runner.sh     | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/tools/multi_nodes_gate/airship_gate/lib/bootaction-runner.sh b/tools/multi_nodes_gate/airship_gate/lib/bootaction-runner.sh
index 2a2e8fad..ef841d1a 100755
--- a/tools/multi_nodes_gate/airship_gate/lib/bootaction-runner.sh
+++ b/tools/multi_nodes_gate/airship_gate/lib/bootaction-runner.sh
@@ -107,6 +107,7 @@ echo "Using rendered manifests file '$rendered_file'"
 
 # env vars which can be set if you want to disable
 : ${DISABLE_SECCOMP_PROFILE:=}
+: ${DISABLE_APPARMOR_PROFILES:=}
 
 
 ###############################################################################
@@ -132,3 +133,39 @@ if [[ ! $DISABLE_SECCOMP_PROFILE ]]; then
   # seccomp_default
   install_file "$path" "$content" "$permissions"
 fi
+
+###############################################################################
+# bootaction: apparmor-profiles
+###############################################################################
+
+if [[ ! $DISABLE_APPARMOR_PROFILES ]]; then
+
+  manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
+                   "apparmor-profiles" "['data']['assets']" "get_size"
+
+  if [[ -n "$RESULT" ]] && [[ $RESULT -gt 0 ]]; then
+
+    # Fetch apparmor profile data
+    LAST=$(( $RESULT - 1 ))
+    for i in `seq 0 $LAST`; do
+
+      manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
+                       "apparmor-profiles" "['data']['assets'][$i]['path']"
+      path="$RESULT"
+      echo "apparmor profiles asset[$i] path located: '$path'"
+      manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
+                       "apparmor-profiles" "['data']['assets'][$i]['permissions']"
+      permissions="$RESULT"
+      echo "apparmor profiles asset[$i] permissions located: '$permissions'"
+      manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
+                       "apparmor-profiles" "['data']['assets'][$i]['data']"
+      content="$RESULT"
+      echo "apparmor profiles assets[$i] data located: '$content'"
+
+      install_file "$path" "$content" "$permissions"
+    done
+
+    # reload all apparmor profiles
+    systemctl reload apparmor.service
+  fi
+fi