[lxc-devel] [PATCH] apparmor: support lxc.aa_profile = unchanged
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Nov 25 20:45:08 UTC 2015
In which case lxc will not update the apparmor profile at all.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
src/lxc/lsm/apparmor.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 88ea5a3..d78bd7a 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -42,6 +42,7 @@ static int mount_features_enabled = 0;
#define AA_DEF_PROFILE "lxc-container-default"
#define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
#define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
+#define AA_UNCHANGED "unchanged"
static bool check_mount_feature_enabled(void)
{
@@ -156,6 +157,12 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
if (!aa_enabled)
return 0;
+ /* user may request that we just ignore apparmor */
+ if (label && strcmp(label, AA_UNCHANGED) == 0) {
+ INFO("apparmor profile unchanged per user request");
+ return 0;
+ }
+
if (!label) {
if (use_default)
label = AA_DEF_PROFILE;
--
2.5.0
More information about the lxc-devel
mailing list