[lxc-devel] [PATCH] use proper config item depending on which lsm is enabled

[Dwight Engen]

On a system with AppArmor enabled, if lxc.se_context is configured but
lxc.aa_profile is not (because the user just wants to use the default
AppArmor profile) lxc was passing the lxc.se_context to be set as the
new AppArmor profile. Determine which configuration item to use based
on which lsm is enabled.

Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
---
 src/lxc/start.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 2bf417e..e46f3a0 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -488,6 +488,7 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf)
 static int do_start(void *data)
 {
 	struct lxc_handler *handler = data;
+	const char *lsm_label = NULL;
 
 	if (sigprocmask(SIG_SETMASK, &handler->oldmask, NULL)) {
 		SYSERROR("failed to set sigprocmask");
@@ -557,9 +558,11 @@ static int do_start(void *data)
 		return -1;
 
 	/* Set the label to change to when we exec(2) the container's init */
-	if (lsm_process_label_set(handler->conf->lsm_aa_profile ?
-				  handler->conf->lsm_aa_profile :
-				  handler->conf->lsm_se_context, 1, 1) < 0)
+	if (!strcmp(lsm_name(), "AppArmor"))
+		lsm_label = handler->conf->lsm_aa_profile;
+	else if (!strcmp(lsm_name(), "SELinux"))
+		lsm_label = handler->conf->lsm_se_context;
+	if (lsm_process_label_set(lsm_label, 1, 1) < 0)
 		goto out_warn_father;
 	lsm_proc_unmount(handler->conf);
 
-- 
1.8.3.1