[lxc-devel] [PATCH 1/1] apparmor: don't do on-exec profile changes

Stéphane Graber stgraber at ubuntu.com
Sat Feb 22 23:28:56 UTC 2014 

On Fri, Feb 21, 2014 at 01:53:46PM -0600, Serge Hallyn wrote:
> always change profile immediately.  Otherwise there are weird
> corner cases where the profile change may not happen.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

It may be a surprise for anyone not reading the function documentation,
but since it's not like we use those everyday, I guess that's fine.

Btw, one such case where this change is needed is on overlayfs where
on-exec profile change doesn't appear to work at all (kernel bug, though
a rather mysterious one...).

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/lsm/apparmor.c | 17 +++++------------
>  1 file changed, 5 insertions(+), 12 deletions(-)
> 
> diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> index 280c1ea..f4c8d26 100644
> --- a/src/lxc/lsm/apparmor.c
> +++ b/src/lxc/lsm/apparmor.c
> @@ -125,7 +125,7 @@ static int apparmor_am_unconfined(void)
>   *
>   * @label   : the profile to set
>   * @default : use the default profile if label is NULL
> - * @on_exec : the new profile will take effect on exec(2) not immediately
> + * @on_exec : this is ignored.  Apparmor profile will be changed immediately
>   *
>   * Returns 0 on success, < 0 on failure
>   *
> @@ -149,19 +149,12 @@ static int apparmor_process_label_set(const char *label, int use_default,
>  		return 0;
>  	}
>  
> -	if (on_exec) {
> -		if (aa_change_onexec(label) < 0) {
> -			SYSERROR("failed to change exec apparmor profile to %s", label);
> -			return -1;
> -		}
> -	} else {
> -		if (aa_change_profile(label) < 0) {
> -			SYSERROR("failed to change apparmor profile to %s", label);
> -			return -1;
> -		}
> +	if (aa_change_profile(label) < 0) {
> +		SYSERROR("failed to change apparmor profile to %s", label);
> +		return -1;
>  	}
>  
> -	INFO("changed apparmor%s profile to %s", on_exec ? " exec" : "", label);
> +	INFO("changed apparmor profile to %s", label);
>  	return 0;
>  }
>  
> -- 
> 1.9.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140222/7f807934/attachment.pgp>

More information about the lxc-devel mailing list