[lxc-devel] [PATCH 1/2] c/r: use --lsm-profile if provided

[Tycho Andersen]

Since we can rename a container on a migrate, let's tell CRIU to use the
LSM profile name the user has specified. This change is motivated by LXD,
which sets an LSM profile name based on the container name, so if a user
changes the name of a container during migration, the old profile name
(that criu has saved) won't exist on the new host.

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
 src/lxc/criu.c | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 5ca4f9f..c30fa33 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -89,8 +89,10 @@ void exec_criu(struct criu_opts *opts)
 			static_args++;
 	} else if (strcmp(opts->action, "restore") == 0) {
 		/* --root $(lxc_mount_point) --restore-detached
-		 * --restore-sibling --pidfile $foo --cgroup-root $foo */
-		static_args += 8;
+		 * --restore-sibling --pidfile $foo --cgroup-root $foo
+		 * --lsm-profile apparmor:whatever
+		 */
+		static_args += 10;
 	} else {
 		return;
 	}
@@ -184,6 +186,7 @@ void exec_criu(struct criu_opts *opts)
 	} else if (strcmp(opts->action, "restore") == 0) {
 		void *m;
 		int additional;
+		struct lxc_conf *lxc_conf = opts->c->lxc_conf;
 
 		DECLARE_ARG("--root");
 		DECLARE_ARG(opts->c->lxc_conf->rootfs.mount);
@@ -194,6 +197,20 @@ void exec_criu(struct criu_opts *opts)
 		DECLARE_ARG("--cgroup-root");
 		DECLARE_ARG(opts->cgroup_path);
 
+		if (lxc_conf->lsm_aa_profile || lxc_conf->lsm_se_context) {
+
+			if (lxc_conf->lsm_aa_profile)
+				ret = snprintf(buf, sizeof(buf), "apparmor:%s", lxc_conf->lsm_aa_profile);
+			else
+				ret = snprintf(buf, sizeof(buf), "selinux:%s", lxc_conf->lsm_se_context);
+
+			if (ret < 0 || ret >= sizeof(buf))
+				goto err;
+
+			DECLARE_ARG("--lsm-profile");
+			DECLARE_ARG(buf);
+		}
+
 		additional = lxc_list_len(&opts->c->lxc_conf->network) * 2;
 
 		m = realloc(argv, (argc + additional + 1) * sizeof(*argv));
-- 
2.6.2