[lxc-devel] [PATCH 2/8] lxc-attach: Completely rework lxc-attach and move to API function
Christian Seiler
christian at iwakd.de
Wed Aug 14 20:19:30 UTC 2013
Hi Serge,
Thanks for reviewing!
>> + /* load apparmor profile */
>> + if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_APPARMOR)) {
>> + ret = attach_apparmor(init_ctx->aa_profile);
>> + if (ret < 0) {
>> + shutdown(ipc_socket, SHUT_RDWR);
>> + rexit(-1);
>> + }
>> + }
>
> Are you doign the CLONE_NEWNS check because proc might otherwise not be
> mounted? Would it make sense to move attach-apparmor to after the
> lxc_attach_remount_sys_proc() below so we can run it in that case too?
Actually, for the attaching part, I just took the current code [1, line
163] and copied it without any modifications unless they were required
because of the new structure. (I didn't add the apparmor part in the
first place anyway, I don't use it myself.)
[1]
<https://github.com/lxc/lxc/blob/b93aac46f2802b3639c1ac2ed0cf71174673d110/src/lxc/lxc_attach.c>
I don't really know what the rationale for the apparmor conditions are,
so maybe one could do what you are suggesting, maybe not - I have no
idea. On the other hand, I have no objection to it if you yourself are
convinced that it will work. ;)
-- Christian
More information about the lxc-devel
mailing list