[lxc-devel] [PATCH 5/6] systemd: Load AppArmor profiles if necessary/supported
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Aug 1 13:42:59 UTC 2014
Quoting Martin Pitt (martin.pitt at ubuntu.com):
> Serge Hallyn [2014-07-31 17:57 +0000]:
> > Quoting Martin Pitt (martin.pitt at ubuntu.com):
> > > On Ubuntu we need to set up the AppArmor profiles also under systemd. Add a new
> > > helper "lxc-apparmor-load" and integrate it into lxc.service.
> > > ---
> > > config/init/systemd/Makefile.am | 5 +++--
> > > config/init/systemd/lxc.service.in | 1 +
> > > 2 files changed, 4 insertions(+), 2 deletions(-)
> >
> > Unfortunately you did not 'git add' the lxc-apparmor-load helper :)
>
> Argh, sorry about that. Fixed patch :)
>
> Martin
>
> --
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> Martin Pitt | http://www.piware.de
> Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
> From b78db5f7858e82203429f708fedd39a7dd962d02 Mon Sep 17 00:00:00 2001
> From: Martin Pitt <martin.pitt at ubuntu.com>
> Date: Thu, 31 Jul 2014 08:06:15 +0200
> Subject: [PATCH 5/6] systemd: Load AppArmor profiles if necessary/supported
>
> On Ubuntu we need to set up the AppArmor profiles also under systemd. Add a new
> helper "lxc-apparmor-load" and integrate it into lxc.service.
> ---
> config/init/systemd/Makefile.am | 5 +++--
> config/init/systemd/lxc-apparmor-load | 14 ++++++++++++++
> config/init/systemd/lxc.service.in | 1 +
> 3 files changed, 18 insertions(+), 2 deletions(-)
> create mode 100755 config/init/systemd/lxc-apparmor-load
>
> diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am
> index ed1e4ef..5959cd8 100644
> --- a/config/init/systemd/Makefile.am
> +++ b/config/init/systemd/Makefile.am
> @@ -1,5 +1,6 @@
> EXTRA_DIST = \
> lxc-devsetup \
> + lxc-apparmor-load \
> lxc.service.in \
> lxc-net.service.in \
> $(NULL)
> @@ -15,7 +16,7 @@ lxc-autostart-helper: ../sysvinit/lxc.in $(top_builddir)/config.status
> mv $@-t $@
> BUILT_SOURCES = lxc-autostart-helper lxc.service lxc-net.service
>
> -install-systemd: lxc.service lxc-net.service lxc-devsetup lxc-autostart-helper
> +install-systemd: lxc.service lxc-net.service lxc-devsetup lxc-apparmor-load lxc-autostart-helper
> $(MKDIR_P) $(DESTDIR)$(SYSTEMD_UNIT_DIR)
> $(INSTALL_DATA) lxc.service lxc-net.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/
>
> @@ -24,7 +25,7 @@ uninstall-systemd:
> rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-net.service
> rmdir $(DESTDIR)$(SYSTEMD_UNIT_DIR) || :
>
> -pkglibexec_SCRIPTS = lxc-devsetup lxc-autostart-helper
> +pkglibexec_SCRIPTS = lxc-devsetup lxc-apparmor-load lxc-autostart-helper
>
> install-data-local: install-systemd
> uninstall-local: uninstall-systemd
> diff --git a/config/init/systemd/lxc-apparmor-load b/config/init/systemd/lxc-apparmor-load
> new file mode 100755
> index 0000000..4ac9496
> --- /dev/null
> +++ b/config/init/systemd/lxc-apparmor-load
> @@ -0,0 +1,14 @@
> +#!/bin/sh
> +# lxc-apparmor-load: Load AppArmor profiles, if supported by the system
> +
> +set -eu
> +
> +# don't load profiles if mount mediation is not supported
> +SYSF=/sys/kernel/security/apparmor/features/mount/mask
> +if [ -f $SYSF ]; then
> + if [ -x /lib/init/apparmor-profile-load ]; then
> + /lib/init/apparmor-profile-load usr.bin.lxc-start
> + /lib/init/apparmor-profile-load lxc-containers
> + fi
> +fi
> +
> diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in
> index c7f2813..f64610f 100644
> --- a/config/init/systemd/lxc.service.in
> +++ b/config/init/systemd/lxc.service.in
> @@ -7,6 +7,7 @@ Wants=lxc-net.service
> Type=oneshot
> RemainAfterExit=yes
> ExecStartPre=@LIBEXECDIR@/lxc/lxc-devsetup
> +ExecStartPre=@LIBEXECDIR@/lxc/lxc-apparmor-load
> ExecStart=@LIBEXECDIR@/lxc/lxc-autostart-helper start
> ExecStop=@LIBEXECDIR@/lxc/lxc-autostart-helper stop
> # Environment=BOOTUP=serial
> --
> 2.0.1
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list