[lxc-devel] [PATCH 3/3] support setting lsm label at exec or immediately
Dwight Engen
dwight.engen at oracle.com
Wed Oct 16 20:17:04 UTC 2013
On Wed, 16 Oct 2013 14:43:00 -0500
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Dwight Engen (dwight.engen at oracle.com):
> > On Wed, 16 Oct 2013 13:17:08 -0500
> > Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >
> > > Quoting Dwight Engen (dwight.engen at oracle.com):
> > > > - Add attach test cases
> > > >
> > > > - Moved setting of LSM label later to avoid failure of IPC
> > > > between parent and child during attach
> > >
> > > ...
> > >
> > > > diff --git a/src/tests/attach.c b/src/tests/attach.c
> > > > new file mode 100644
> > > > index 0000000..76a1f1f
> > > > --- /dev/null
> > > > +++ b/src/tests/attach.c
> > > > @@ -0,0 +1,380 @@
> > > > +/* liblxcapi
> > > > + *
> > > > + * Copyright © 2013 Oracle.
> > > > + *
> > > > + * Authors:
> > > > + * Dwight Engen <dwight.engen at oracle.com>
> > > > + *
> > > > + * This program is free software; you can redistribute it
> > > > and/or modify
> > > > + * it under the terms of the GNU General Public License
> > > > version 2, as
> > > > + * published by the Free Software Foundation.
> > > > + *
> > > > + * This program is distributed in the hope that it will be
> > > > useful,
> > > > + * but WITHOUT ANY WARRANTY; without even the implied warranty
> > > > of
> > > > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
> > > > the
> > > > + * GNU General Public License for more details.
> > > > + *
> > > > + * You should have received a copy of the GNU General Public
> > > > License along
> > > > + * with this program; if not, write to the Free Software
> > > > Foundation, Inc.,
> > > > + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> > > > + */
> > > > +
> > > > +#include <lxc/lxccontainer.h>
> > > > +#include <lxc/utils.h>
> > > > +#include <lxc/lsm/lsm.h>
> > > > +
> > > > +#include <errno.h>
> > > > +#include <unistd.h>
> > > > +
> > > > +#define TSTNAME "lxc-attach-test"
> > > > +#define TSTERR(fmt, ...) do { \
> > > > + fprintf(stderr, "%s:%d " fmt "\n", __FILE__, __LINE__,
> > > > ##__VA_ARGS__); \ +} while (0)
> > > > +
> > > > +#if HAVE_APPARMOR
> > > > +#define LSM_CONFIG_KEY "lxc.aa_profile"
> > > > +#define LSM_LABEL "lxc-container-default"
> > > > +#endif
> > > > +
> > > > +#if HAVE_SELINUX
> > > > +#define LSM_CONFIG_KEY "lxc.se_context"
> > > > +#define
> > > > LSM_LABEL "unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023"
> > > > +#endif
> > >
> > > This breaks builds for me because both HAVE_APPARMOR and
> > > HAVE_SELINUX are set.
> >
> > Ahh, hmm. Do you actually have both run time enabled? Does that
> > work?! Should I try to run time detect which ones are enabled and
> > then run the tests for what it finds?
>
> well libselinux is enabled and selinux is compiled into the
> kernel (but not actually enabled). In any case I guess compile
> time checking isn't right for this. So yeah, you should check
> at runtime.
Okay, thanks I'll rework it to do that.
> -serge
More information about the lxc-devel
mailing list