[lxc-devel] [PATCH 1/2] c/r: use --lsm-profile if provided

Stéphane Graber stgraber at ubuntu.com
Mon Dec 21 03:34:49 UTC 2015 

On Fri, Dec 11, 2015 at 04:21:53PM -0700, Tycho Andersen wrote:
> Since we can rename a container on a migrate, let's tell CRIU to use the
> LSM profile name the user has specified. This change is motivated by LXD,
> which sets an LSM profile name based on the container name, so if a user
> changes the name of a container during migration, the old profile name
> (that criu has saved) won't exist on the new host.
> 
> Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/criu.c | 21 +++++++++++++++++++--
>  1 file changed, 19 insertions(+), 2 deletions(-)
> 
> diff --git a/src/lxc/criu.c b/src/lxc/criu.c
> index 5ca4f9f..c30fa33 100644
> --- a/src/lxc/criu.c
> +++ b/src/lxc/criu.c
> @@ -89,8 +89,10 @@ void exec_criu(struct criu_opts *opts)
>  			static_args++;
>  	} else if (strcmp(opts->action, "restore") == 0) {
>  		/* --root $(lxc_mount_point) --restore-detached
> -		 * --restore-sibling --pidfile $foo --cgroup-root $foo */
> -		static_args += 8;
> +		 * --restore-sibling --pidfile $foo --cgroup-root $foo
> +		 * --lsm-profile apparmor:whatever
> +		 */
> +		static_args += 10;
>  	} else {
>  		return;
>  	}
> @@ -184,6 +186,7 @@ void exec_criu(struct criu_opts *opts)
>  	} else if (strcmp(opts->action, "restore") == 0) {
>  		void *m;
>  		int additional;
> +		struct lxc_conf *lxc_conf = opts->c->lxc_conf;
>  
>  		DECLARE_ARG("--root");
>  		DECLARE_ARG(opts->c->lxc_conf->rootfs.mount);
> @@ -194,6 +197,20 @@ void exec_criu(struct criu_opts *opts)
>  		DECLARE_ARG("--cgroup-root");
>  		DECLARE_ARG(opts->cgroup_path);
>  
> +		if (lxc_conf->lsm_aa_profile || lxc_conf->lsm_se_context) {
> +
> +			if (lxc_conf->lsm_aa_profile)
> +				ret = snprintf(buf, sizeof(buf), "apparmor:%s", lxc_conf->lsm_aa_profile);
> +			else
> +				ret = snprintf(buf, sizeof(buf), "selinux:%s", lxc_conf->lsm_se_context);
> +
> +			if (ret < 0 || ret >= sizeof(buf))
> +				goto err;
> +
> +			DECLARE_ARG("--lsm-profile");
> +			DECLARE_ARG(buf);
> +		}
> +
>  		additional = lxc_list_len(&opts->c->lxc_conf->network) * 2;
>  
>  		m = realloc(argv, (argc + additional + 1) * sizeof(*argv));
> -- 
> 2.6.2
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20151220/43ff22a7/attachment.sig>

More information about the lxc-devel mailing list