[lxc-devel] [PATCH v2 2/2] support setting lsm label at exec or immediately
Dwight Engen
dwight.engen at oracle.com
Fri Oct 18 18:31:45 UTC 2013
On Fri, 18 Oct 2013 11:14:07 -0500
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Dwight Engen (dwight.engen at oracle.com):
> > diff --git a/src/lxc/start.c b/src/lxc/start.c
> > index 7538403..2bf417e 100644
> > --- a/src/lxc/start.c
> > +++ b/src/lxc/start.c
> > @@ -556,14 +556,10 @@ static int do_start(void *data)
> > if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP))
> > return -1;
> >
> > - /* XXX: hmm apparmor switches right away since it uses
> > - * aa_change_profile() and not aa_change_onexec(). SELinux
> > on the other
> > - * hand is going to transition on exec(). Is it bad to run
> > the stuff
> > - * between here and exec() in the more privileged context?
> > - */
> > + /* Set the label to change to when we exec(2) the
> > container's init */ if
> > (lsm_process_label_set(handler->conf->lsm_aa_profile ?
> > handler->conf->lsm_aa_profile :
> > - handler->conf->lsm_se_context,
> > 1) < 0)
> > + handler->conf->lsm_se_context,
> > 1, 1) < 0) goto out_warn_father;
> > lsm_proc_unmount(handler->conf);
>
> Hi,
>
> This isn't urgent, but it is an issue I noticed yesterday (in your
> original patch, not in this patch). The original behavior for
> apparmor was that if aa_profile was not specified, then the default
> would be used. With this here, if someone leaves lxc.aa_profile
> unset to get the default, has lxc.se_context set, and starts the
> container on an apparmor system, then the startup will fail bc it
> will try to set the se_context as the aa_profile.
Yeah, I had not considered having both on at the same time, nor have
se_context set on an AppArmor system.
> I guess the simplest way to fix this would be to check drv here and
> pass in the right context based on which drv is enabled?
Yep, following is a patch to do that on top of the lsm_name() thing.
> -serge
More information about the lxc-devel
mailing list