[lxc-devel] [PATCH 3/3] support setting lsm label at exec or immediately

Wed Oct 16 19:01:17 UTC 2013

On Wed, 16 Oct 2013 13:17:08 -0500
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Quoting Dwight Engen (dwight.engen at oracle.com):
> > - Add attach test cases
> > 
> > - Moved setting of LSM label later to avoid failure of IPC between
> > parent and child during attach
> 
> ...
> 
> > diff --git a/src/tests/attach.c b/src/tests/attach.c
> > new file mode 100644
> > index 0000000..76a1f1f
> > --- /dev/null
> > +++ b/src/tests/attach.c
> > @@ -0,0 +1,380 @@
> > +/* liblxcapi
> > + *
> > + * Copyright © 2013 Oracle.
> > + *
> > + * Authors:
> > + * Dwight Engen <dwight.engen at oracle.com>
> > + *
> > + * This program is free software; you can redistribute it and/or
> > modify
> > + * it under the terms of the GNU General Public License version 2,
> > as
> > + * published by the Free Software Foundation.
> > + *
> > + * This program is distributed in the hope that it will be useful,
> > + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > + * GNU General Public License for more details.
> > + *
> > + * You should have received a copy of the GNU General Public
> > License along
> > + * with this program; if not, write to the Free Software
> > Foundation, Inc.,
> > + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> > + */
> > +
> > +#include <lxc/lxccontainer.h>
> > +#include <lxc/utils.h>
> > +#include <lxc/lsm/lsm.h>
> > +
> > +#include <errno.h>
> > +#include <unistd.h>
> > +
> > +#define TSTNAME    "lxc-attach-test"
> > +#define TSTERR(fmt, ...) do { \
> > +	fprintf(stderr, "%s:%d " fmt "\n", __FILE__, __LINE__,
> > ##__VA_ARGS__); \ +} while (0)
> > +
> > +#if HAVE_APPARMOR
> > +#define LSM_CONFIG_KEY	"lxc.aa_profile"
> > +#define LSM_LABEL	"lxc-container-default"
> > +#endif
> > +
> > +#if HAVE_SELINUX
> > +#define LSM_CONFIG_KEY	"lxc.se_context"
> > +#define
> > LSM_LABEL	"unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023"
> > +#endif
> 
> This breaks builds for me because both HAVE_APPARMOR and HAVE_SELINUX
> are set.

Ahh, hmm. Do you actually have both run time enabled? Does that work?! Should I try to run time detect which ones are enabled and then run the tests for what it finds?