[lxc-devel] [lxc/lxc] 374625: apparmor: don't fail if current aa label is given

Mon Feb 8 21:27:06 UTC 2016

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 374625aa3fe8cfa9c866c6d5e6f28bbb4a7a7540
      https://github.com/lxc/lxc/commit/374625aa3fe8cfa9c866c6d5e6f28bbb4a7a7540
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2016-02-08 (Mon, 08 Feb 2016)

  Changed paths:
    M src/lxc/lsm/apparmor.c

  Log Message:
  -----------
  apparmor: don't fail if current aa label is given

Ideally a container configuration will specify 'unchanged' if
it wants the container to use the current (parent) profile.  But
lxd passes its current label.  Support that too.

Note that if/when stackable profiles exist, this behavior may
or may not be what we want.  But the code to deal with aa
stacking will need some changes anyway so this is ok.

With this patch, I can create nested containers inside a
lxd xenial container both using

lxc launch x2

and unprivileged

lxc-start -n x2

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

  Commit: f97ab3a63913ce8e30696cf3b62f94716be8e346
      https://github.com/lxc/lxc/commit/f97ab3a63913ce8e30696cf3b62f94716be8e346
  Author: Christian Brauner <christian.brauner at mailbox.org>
  Date:   2016-02-08 (Mon, 08 Feb 2016)

  Changed paths:
    M src/lxc/lsm/apparmor.c

  Log Message:
  -----------
  Merge pull request #808 from hallyn/2016-02-07/aa.2

apparmor: don't fail if current aa label is given

Compare: https://github.com/lxc/lxc/compare/e8f8436cc123...f97ab3a63913