[lxc-devel] [PATCH] apparmor: cache the are-we-enabled decision

Stéphane Graber stgraber at ubuntu.com
Thu Oct 24 01:52:36 UTC 2013 

On Wed, Oct 23, 2013 at 08:54:13PM -0500, Serge Hallyn wrote:
> Since we check /sys/kernel/security/ files when deciding whether
> apparmor is enabled, and that might not be mounted in the container,
> we cannot re-make the decision at apparmor_process_label_set() time.
> Luckily we don't have to - just cache the decision made at
> lsm_apparmor_drv_init().
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/lsm/apparmor.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> index cf8020d..aaf8056 100644
> --- a/src/lxc/lsm/apparmor.c
> +++ b/src/lxc/lsm/apparmor.c
> @@ -32,6 +32,9 @@
>  
>  lxc_log_define(lxc_apparmor, lxc);
>  
> +/* set by lsm_apparmor_drv_init if true */
> +static int aa_enabled = 0;
> +
>  #define AA_DEF_PROFILE "lxc-container-default"
>  #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
>  #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
> @@ -139,7 +142,7 @@ static int apparmor_am_unconfined(void)
>  static int apparmor_process_label_set(const char *label, int use_default,
>  				      int on_exec)
>  {
> -	if (!apparmor_enabled())
> +	if (!aa_enabled)
>  		return 0;
>  
>  	if (!label) {
> @@ -181,5 +184,6 @@ struct lsm_drv *lsm_apparmor_drv_init(void)
>  {
>  	if (!apparmor_enabled())
>  		return NULL;
> +	aa_enabled = 1;
>  	return &apparmor_drv;
>  }
> -- 
> 1.8.1.2
> 
> 
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131023/ead94947/attachment.pgp>

More information about the lxc-devel mailing list