[lxc-devel] [PATCH] apparmor: make sure sysfs and securityfs are mounted when checking for mount feature

Dwight Engen dwight.engen at oracle.com
Mon Sep 22 13:08:12 UTC 2014 

On Sat, 20 Sep 2014 04:54:32 +0000
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Otherwise the check will return false if securityfs was not mounted
> by the container's configuration.  In the past we let that quietly
> proceed, but unconfined.  Now that we restrict such container
> starts, this caused lxc-test-apparmor to fail.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Dwight Engen <dwight.engen at oracle.com>

> ---
>  src/lxc/lsm/apparmor.c | 32 +++++++++++++++++++++++++++++---
>  1 file changed, 29 insertions(+), 3 deletions(-)
> 
> diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> index 8de0115..907fdd3 100644
> --- a/src/lxc/lsm/apparmor.c
> +++ b/src/lxc/lsm/apparmor.c
> @@ -26,6 +26,7 @@
>  #include <sys/stat.h>
>  #include <sys/mount.h>
>  #include <sys/apparmor.h>
> +#include <sys/vfs.h>
>  
>  #include "log.h"
>  #include "lsm/lsm.h"
> @@ -40,14 +41,39 @@ static int aa_enabled = 0;
>  #define AA_MOUNT_RESTR
> "/sys/kernel/security/apparmor/features/mount/mask" #define
> AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled" 
> -static int mount_feature_enabled(void)
> +static bool mount_feature_enabled(void)
>  {
>  	struct stat statbuf;
> +	struct statfs sf;
>  	int ret;
> +	bool mountedsys = false, mountedk = false, bret = true;
> +
> +	ret = statfs("/sys", &sf);
> +	if (ret < 0 || sf.f_type != 0x62656572) {
> +		if (mount("sysfs", "/sys", "sysfs", 0, NULL) < 0) {
> +			SYSERROR("Error mounting sysfs");
> +			return false;
> +		}
> +		mountedsys = true;
> +	}
> +	if (stat("/sys/kernel/security/apparmor", &statbuf) < 0) {
> +		if (mount("securityfs", "/sys/kernel/security",
> "securityfs", 0, NULL) < 0) {
> +			SYSERROR("Error mounting securityfs");
> +			if (mountedsys)
> +				umount2("/sys", MNT_DETACH);
> +			return false;
> +		}
> +		mountedk = true;
> +	}
>  	ret = stat(AA_MOUNT_RESTR, &statbuf);
>  	if (ret != 0)
> -		return 0;
> -	return 1;
> +		bret = false;
> +
> +	if (mountedk)
> +		umount2("/sys/kernel/security", MNT_DETACH);
> +	if (mountedsys)
> +		umount2("/sys", MNT_DETACH);
> +	return bret;
>  }
>  
>  /* aa_getcon is not working right now.  Use our hand-rolled version
> below */

More information about the lxc-devel mailing list