[lxc-devel] [lxc/master] apparmor: don't fail if current aa label is given

hallyn on Github lxc-bot at linuxcontainers.org
Mon Feb 8 07:14:57 UTC 2016 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 862 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160208/4f0a4b1a/attachment.bin>
-------------- next part --------------
From e03f2119191b77674bd03bc8b3e707b967447e89 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Sun, 7 Feb 2016 23:06:10 -0800
Subject: [PATCH] apparmor: don't fail if current aa label is given

Ideally a container configuration will specify 'unchanged' if
it wants the container to use the current (parent) profile.  But
lxd passes its current label.  Support that too.

Note that if/when stackable profiles exist, this behavior may
or may not be what we want.  But the code to deal with aa
stacking will need some changes anyway so this is ok.

With this patch, I can create nested containers inside a
lxd xenial container both using

lxc launch x2

and unprivileged

lxc-start -n x2

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 src/lxc/lsm/apparmor.c | 34 +++++++++++++++-------------------
 1 file changed, 15 insertions(+), 19 deletions(-)

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 9d81224..64b7f4f 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -146,18 +146,6 @@ static bool aa_stacking_supported(void) {
 	return false;
 }
 
-/* are we in a confined container? */
-static bool in_aa_confined_container(void) {
-	char *p = apparmor_process_label_get(getpid());
-	bool ret = false;
-	if (p && strcmp(p, "/usr/bin/lxc-start") != 0 && strcmp(p, "unconfined") != 0) {
-		INFO("Already apparmor-confined under %s", p);
-		ret = true;
-	}
-	free(p);
-	return ret;
-}
-
 /*
  * apparmor_process_label_set: Set AppArmor process profile
  *
@@ -174,6 +162,7 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 				      int use_default, int on_exec)
 {
 	const char *label = inlabel ? inlabel : conf->lsm_aa_profile;
+	char *curlabel;
 
 	if (!aa_enabled)
 		return 0;
@@ -184,17 +173,24 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 		return 0;
 	}
 
-	/*
-	 * If we are already confined and no profile was requested,
-	 * then default to unchanged
-	 */
-	if (in_aa_confined_container() && !aa_stacking_supported()) {
-		if (label) {
+	curlabel = apparmor_process_label_get(getpid());
+	if (!aa_stacking_supported() && curlabel) {
+		// we're already confined, and stacking isn't supported
+
+		if (!label || strcmp(curlabel, label) == 0) {
+			// no change requested
+			free(curlabel);
+			return 0;
+		}
+
+		if (strcmp(curlabel, "/usr/bin/lxc-start") != 0 &&
+				strcmp(label, AA_UNCHANGED) != 0) {
 			ERROR("already apparmor confined, but new label requested.");
+			free(curlabel);
 			return -1;
 		}
-		return 0;
 	}
+	free(curlabel);
 
 	if (!label) {
 		if (use_default)

More information about the lxc-devel mailing list