[lxc-devel] [PATCH v2 2/2] support setting lsm label at exec or immediately
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Oct 18 16:14:07 UTC 2013
Quoting Dwight Engen (dwight.engen at oracle.com):
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 7538403..2bf417e 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -556,14 +556,10 @@ static int do_start(void *data)
> if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP))
> return -1;
>
> - /* XXX: hmm apparmor switches right away since it uses
> - * aa_change_profile() and not aa_change_onexec(). SELinux on the other
> - * hand is going to transition on exec(). Is it bad to run the stuff
> - * between here and exec() in the more privileged context?
> - */
> + /* Set the label to change to when we exec(2) the container's init */
> if (lsm_process_label_set(handler->conf->lsm_aa_profile ?
> handler->conf->lsm_aa_profile :
> - handler->conf->lsm_se_context, 1) < 0)
> + handler->conf->lsm_se_context, 1, 1) < 0)
> goto out_warn_father;
> lsm_proc_unmount(handler->conf);
Hi,
This isn't urgent, but it is an issue I noticed yesterday (in your
original patch, not in this patch). The original behavior for apparmor
was that if aa_profile was not specified, then the default would be
used. With this here, if someone leaves lxc.aa_profile unset to get
the default, has lxc.se_context set, and starts the container on an
apparmor system, then the startup will fail bc it will try to set
the se_context as the aa_profile.
I guess the simplest way to fix this would be to check drv here and pass
in the right context based on which drv is enabled?
-serge
More information about the lxc-devel
mailing list