[lxc-devel] [PATCH] apparmor: make sure sysfs and securityfs are mounted when checking for mount feature
Serge Hallyn
serge.hallyn at ubuntu.com
Sat Sep 20 04:54:32 UTC 2014
Otherwise the check will return false if securityfs was not mounted
by the container's configuration. In the past we let that quietly
proceed, but unconfined. Now that we restrict such container
starts, this caused lxc-test-apparmor to fail.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
src/lxc/lsm/apparmor.c | 32 +++++++++++++++++++++++++++++---
1 file changed, 29 insertions(+), 3 deletions(-)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 8de0115..907fdd3 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -26,6 +26,7 @@
#include <sys/stat.h>
#include <sys/mount.h>
#include <sys/apparmor.h>
+#include <sys/vfs.h>
#include "log.h"
#include "lsm/lsm.h"
@@ -40,14 +41,39 @@ static int aa_enabled = 0;
#define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
#define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
-static int mount_feature_enabled(void)
+static bool mount_feature_enabled(void)
{
struct stat statbuf;
+ struct statfs sf;
int ret;
+ bool mountedsys = false, mountedk = false, bret = true;
+
+ ret = statfs("/sys", &sf);
+ if (ret < 0 || sf.f_type != 0x62656572) {
+ if (mount("sysfs", "/sys", "sysfs", 0, NULL) < 0) {
+ SYSERROR("Error mounting sysfs");
+ return false;
+ }
+ mountedsys = true;
+ }
+ if (stat("/sys/kernel/security/apparmor", &statbuf) < 0) {
+ if (mount("securityfs", "/sys/kernel/security", "securityfs", 0, NULL) < 0) {
+ SYSERROR("Error mounting securityfs");
+ if (mountedsys)
+ umount2("/sys", MNT_DETACH);
+ return false;
+ }
+ mountedk = true;
+ }
ret = stat(AA_MOUNT_RESTR, &statbuf);
if (ret != 0)
- return 0;
- return 1;
+ bret = false;
+
+ if (mountedk)
+ umount2("/sys/kernel/security", MNT_DETACH);
+ if (mountedsys)
+ umount2("/sys", MNT_DETACH);
+ return bret;
}
/* aa_getcon is not working right now. Use our hand-rolled version below */
--
2.1.0
More information about the lxc-devel
mailing list