[lxc-devel] [PATCH 2/8] lxc-attach: Completely rework lxc-attach and move to API function

Serge Hallyn serge.hallyn at ubuntu.com
Wed Aug 14 20:12:39 UTC 2013


Quoting Christian Seiler (christian at iwakd.de):

No objection to pushing the patch as is, so

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

but one question:

> +	/* load apparmor profile */
> +	if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_APPARMOR)) {
> +		ret = attach_apparmor(init_ctx->aa_profile);
> +		if (ret < 0) {
> +			shutdown(ipc_socket, SHUT_RDWR);
> +			rexit(-1);
> +		}
> +	}

Are you doign the CLONE_NEWNS check because proc might otherwise not be
mounted?  Would it make sense to move attach-apparmor to after the
lxc_attach_remount_sys_proc() below so we can run it in that case too?

> +
> +	/* A description of the purpose of this functionality is
> +	 * provided in the lxc-attach(1) manual page. We have to
> +	 * remount here and not in the parent process, otherwise
> +	 * /proc may not properly reflect the new pid namespace.
> +	 */
> +	if (!(options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_REMOUNT_PROC_SYS)) {
> +		ret = lxc_attach_remount_sys_proc();
> +		if (ret < 0) {
> +			shutdown(ipc_socket, SHUT_RDWR);
> +			rexit(-1);
> +		}
> +	}




More information about the lxc-devel mailing list