[lxc-devel] [PATCH] Don't try to change aa label if we are already apparmor-confined

[Serge Hallyn]

Closes #1459

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 src/lxc/lsm/apparmor.c | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index d78bd7a..39324ce 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -127,12 +127,31 @@ again:
 	return buf;
 }
 
-static int apparmor_am_unconfined(void)
+/*
+ * Probably makes sense to reorganize these to only read
+ * the label once
+ */
+static bool apparmor_am_unconfined(void)
 {
 	char *p = apparmor_process_label_get(getpid());
-	int ret = 0;
+	bool ret = false;
 	if (!p || strcmp(p, "unconfined") == 0)
-		ret = 1;
+		ret = true;
+	free(p);
+	return ret;
+}
+
+/* aa stacking is not yet supported */
+static bool aa_stacking_supported(void) {
+	return false;
+}
+
+/* are we in a confined container? */
+static bool in_aa_confined_container(void) {
+	char *p = apparmor_process_label_get(getpid());
+	bool ret = false;
+	if (p && strcmp(p, "/usr/bin/lxc-start") != 0)
+		ret = true;
 	free(p);
 	return ret;
 }
@@ -163,6 +182,19 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 		return 0;
 	}
 
+	/*
+	 * If we are already confined and no profile was requested,
+	 * then default to unchanged
+	 */
+	if (in_aa_confined_container() && !aa_stacking_supported()) {
+		if (label) {
+			ERROR("already apparmor confined, but new label requested.");
+			return -1;
+		}
+		INFO("Already apparmor-confined");
+		return 0;
+	}
+
 	if (!label) {
 		if (use_default)
 			label = AA_DEF_PROFILE;
-- 
2.5.0