[lxc-devel] [PATCH] apparmor: check for mount feature at a better time

Serge Hallyn serge.hallyn at ubuntu.com
Tue Oct 14 15:03:09 UTC 2014


Quoting Dwight Engen (dwight.engen at oracle.com):
> On Mon, 13 Oct 2014 23:14:30 +0000
> Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> 
> > Check for it when we check for apparmor being enabled, rather
> > than doing it during the middle of a container setup.
> > 
> > This avoid the need to try mounting /sys and /sys/kernel/security
> > in the middle of startup, which we may not be allowed to anyway.
> 
> Hi Serge, it looks like with this change lxc won't attempt to mount /sys
> nor /sys/kernel/security at all? Just wanted to verify that we don't
> think anyone was relying on that.

No, I had only added this very recently (1-2 weeks ago0, and if we
mounted here we immediately umounted after reading the file, so this
can't affect the container's set of available mounts.

> Acked-by: Dwight Engen <dwight.engen at oracle.com>
> 
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > ---
> >  src/lxc/lsm/apparmor.c | 47
> > ++++++++++++++++------------------------------- 1 file changed, 16
> > insertions(+), 31 deletions(-)
> > 
> > diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> > index 907fdd3..0fca2af 100644
> > --- a/src/lxc/lsm/apparmor.c
> > +++ b/src/lxc/lsm/apparmor.c
> > @@ -37,43 +37,25 @@ lxc_log_define(lxc_apparmor, lxc);
> >  /* set by lsm_apparmor_drv_init if true */
> >  static int aa_enabled = 0;
> >  
> > +static int mount_features_enabled = 0;
> > +
> >  #define AA_DEF_PROFILE "lxc-container-default"
> >  #define AA_MOUNT_RESTR
> > "/sys/kernel/security/apparmor/features/mount/mask" #define
> > AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled" 
> > -static bool mount_feature_enabled(void)
> > +static bool check_mount_feature_enabled(void)
> > +{
> > +	return mount_features_enabled == 1;
> > +}
> > +
> > +static void load_mount_features_enabled(void)
> >  {
> >  	struct stat statbuf;
> > -	struct statfs sf;
> >  	int ret;
> > -	bool mountedsys = false, mountedk = false, bret = true;
> > -
> > -	ret = statfs("/sys", &sf);
> > -	if (ret < 0 || sf.f_type != 0x62656572) {
> > -		if (mount("sysfs", "/sys", "sysfs", 0, NULL) < 0) {
> > -			SYSERROR("Error mounting sysfs");
> > -			return false;
> > -		}
> > -		mountedsys = true;
> > -	}
> > -	if (stat("/sys/kernel/security/apparmor", &statbuf) < 0) {
> > -		if (mount("securityfs", "/sys/kernel/security",
> > "securityfs", 0, NULL) < 0) {
> > -			SYSERROR("Error mounting securityfs");
> > -			if (mountedsys)
> > -				umount2("/sys", MNT_DETACH);
> > -			return false;
> > -		}
> > -		mountedk = true;
> > -	}
> > +	
> >  	ret = stat(AA_MOUNT_RESTR, &statbuf);
> > -	if (ret != 0)
> > -		bret = false;
> > -
> > -	if (mountedk)
> > -		umount2("/sys/kernel/security", MNT_DETACH);
> > -	if (mountedsys)
> > -		umount2("/sys", MNT_DETACH);
> > -	return bret;
> > +	if (ret == 0)
> > +		mount_features_enabled = 1;
> >  }
> >  
> >  /* aa_getcon is not working right now.  Use our hand-rolled version
> > below */ @@ -88,8 +70,11 @@ static int apparmor_enabled(void)
> >  		return 0;
> >  	ret = fscanf(fin, "%c", &e);
> >  	fclose(fin);
> > -	if (ret == 1 && e == 'Y')
> > +	if (ret == 1 && e == 'Y') {
> > +		load_mount_features_enabled();
> >  		return 1;
> > +	}
> > +
> >  	return 0;
> >  }
> >  
> > @@ -180,7 +165,7 @@ static int apparmor_process_label_set(const char
> > *inlabel, struct lxc_conf *conf label = "unconfined";
> >  	}
> >  
> > -	if (!mount_feature_enabled() && strcmp(label,
> > "unconfined") != 0) {
> > +	if (!check_mount_feature_enabled() && strcmp(label,
> > "unconfined") != 0) { WARN("Incomplete AppArmor support in your
> > kernel"); if (!conf->lsm_aa_allow_incomplete) {
> >  			ERROR("If you really want to start this
> > container, set");
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


More information about the lxc-devel mailing list