[lxc-devel] [PATCH 3/3] support setting lsm label at exec or immediately

Serge Hallyn serge.hallyn at ubuntu.com
Wed Oct 16 19:43:00 UTC 2013 

Quoting Dwight Engen (dwight.engen at oracle.com):
> On Wed, 16 Oct 2013 13:17:08 -0500
> Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> 
> > Quoting Dwight Engen (dwight.engen at oracle.com):
> > > - Add attach test cases
> > > 
> > > - Moved setting of LSM label later to avoid failure of IPC between
> > > parent and child during attach
> > 
> > ...
> > 
> > > diff --git a/src/tests/attach.c b/src/tests/attach.c
> > > new file mode 100644
> > > index 0000000..76a1f1f
> > > --- /dev/null
> > > +++ b/src/tests/attach.c
> > > @@ -0,0 +1,380 @@
> > > +/* liblxcapi
> > > + *
> > > + * Copyright © 2013 Oracle.
> > > + *
> > > + * Authors:
> > > + * Dwight Engen <dwight.engen at oracle.com>
> > > + *
> > > + * This program is free software; you can redistribute it and/or
> > > modify
> > > + * it under the terms of the GNU General Public License version 2,
> > > as
> > > + * published by the Free Software Foundation.
> > > + *
> > > + * This program is distributed in the hope that it will be useful,
> > > + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > > + * GNU General Public License for more details.
> > > + *
> > > + * You should have received a copy of the GNU General Public
> > > License along
> > > + * with this program; if not, write to the Free Software
> > > Foundation, Inc.,
> > > + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> > > + */
> > > +
> > > +#include <lxc/lxccontainer.h>
> > > +#include <lxc/utils.h>
> > > +#include <lxc/lsm/lsm.h>
> > > +
> > > +#include <errno.h>
> > > +#include <unistd.h>
> > > +
> > > +#define TSTNAME    "lxc-attach-test"
> > > +#define TSTERR(fmt, ...) do { \
> > > +	fprintf(stderr, "%s:%d " fmt "\n", __FILE__, __LINE__,
> > > ##__VA_ARGS__); \ +} while (0)
> > > +
> > > +#if HAVE_APPARMOR
> > > +#define LSM_CONFIG_KEY	"lxc.aa_profile"
> > > +#define LSM_LABEL	"lxc-container-default"
> > > +#endif
> > > +
> > > +#if HAVE_SELINUX
> > > +#define LSM_CONFIG_KEY	"lxc.se_context"
> > > +#define
> > > LSM_LABEL	"unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023"
> > > +#endif
> > 
> > This breaks builds for me because both HAVE_APPARMOR and HAVE_SELINUX
> > are set.
> 
> Ahh, hmm. Do you actually have both run time enabled? Does that work?! Should I try to run time detect which ones are enabled and then run the tests for what it finds?

well libselinux is enabled and selinux is compiled into the
kernel (but not actually enabled).  In any case I guess compile
time checking isn't right for this.  So yeah, you should check
at runtime.

-serge

More information about the lxc-devel mailing list