[lxc-devel] [PATCH] apparmor: cache the are-we-enabled decision
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Oct 24 01:54:13 UTC 2013
Since we check /sys/kernel/security/ files when deciding whether
apparmor is enabled, and that might not be mounted in the container,
we cannot re-make the decision at apparmor_process_label_set() time.
Luckily we don't have to - just cache the decision made at
lsm_apparmor_drv_init().
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
src/lxc/lsm/apparmor.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index cf8020d..aaf8056 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -32,6 +32,9 @@
lxc_log_define(lxc_apparmor, lxc);
+/* set by lsm_apparmor_drv_init if true */
+static int aa_enabled = 0;
+
#define AA_DEF_PROFILE "lxc-container-default"
#define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
#define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
@@ -139,7 +142,7 @@ static int apparmor_am_unconfined(void)
static int apparmor_process_label_set(const char *label, int use_default,
int on_exec)
{
- if (!apparmor_enabled())
+ if (!aa_enabled)
return 0;
if (!label) {
@@ -181,5 +184,6 @@ struct lsm_drv *lsm_apparmor_drv_init(void)
{
if (!apparmor_enabled())
return NULL;
+ aa_enabled = 1;
return &apparmor_drv;
}
--
1.8.1.2
More information about the lxc-devel
mailing list