[lxc-devel] [PATCH] attach: handle apparmor transitions in !NEWNS cases
Stéphane Graber
stgraber at ubuntu.com
Wed Mar 6 23:46:48 UTC 2013
On 03/06/2013 02:41 PM, Serge Hallyn wrote:
> If we're not attaching to the mount ns , then don't enter the
> container's apparmor policy. Since we're running binaries from the host
> and not the container, that actually seems the sane thing to do (besides
> also the lazier thing).
>
> If we dont' do this patch, then we will need to move the apparmor attach
> past the procfs remount, will need to also mount securityfs if available,
> and for the !remount_proc_sys case we'll want to mount those just long
> enough to do the apparmor transition.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> src/lxc/lxc_attach.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
> index 1f60266..60d9eac 100644
> --- a/src/lxc/lxc_attach.c
> +++ b/src/lxc/lxc_attach.c
> @@ -375,9 +375,11 @@ int main(int argc, char *argv[])
> lxc_sync_fini_parent(handler);
> close(cgroup_ipc_sockets[1]);
>
> - if (attach_apparmor(init_ctx->aa_profile) < 0) {
> - ERROR("failed switching apparmor profiles");
> - return -1;
> + if ((namespace_flags & CLONE_NEWNS)) {
> + if (attach_apparmor(init_ctx->aa_profile) < 0) {
> + ERROR("failed switching apparmor profiles");
> + return -1;
> + }
> }
>
> /* A description of the purpose of this functionality is
>
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130306/2c88b288/attachment.pgp>
More information about the lxc-devel
mailing list