[lxc-devel] [PATCH] apparmor: support lxc.aa_profile = unchanged
Stéphane Graber
stgraber at ubuntu.com
Thu Dec 3 06:11:17 UTC 2015
On Wed, Nov 25, 2015 at 08:45:08PM +0000, Serge Hallyn wrote:
> In which case lxc will not update the apparmor profile at all.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> src/lxc/lsm/apparmor.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> index 88ea5a3..d78bd7a 100644
> --- a/src/lxc/lsm/apparmor.c
> +++ b/src/lxc/lsm/apparmor.c
> @@ -42,6 +42,7 @@ static int mount_features_enabled = 0;
> #define AA_DEF_PROFILE "lxc-container-default"
> #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
> #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
> +#define AA_UNCHANGED "unchanged"
>
> static bool check_mount_feature_enabled(void)
> {
> @@ -156,6 +157,12 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
> if (!aa_enabled)
> return 0;
>
> + /* user may request that we just ignore apparmor */
> + if (label && strcmp(label, AA_UNCHANGED) == 0) {
> + INFO("apparmor profile unchanged per user request");
> + return 0;
> + }
> +
> if (!label) {
> if (use_default)
> label = AA_DEF_PROFILE;
> --
> 2.5.0
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20151203/1a114858/attachment.sig>
More information about the lxc-devel
mailing list