[lxc-devel] [PATCH] Don't try to change aa label if we are already apparmor-confined
Stéphane Graber
stgraber at ubuntu.com
Mon Jan 4 21:50:01 UTC 2016
On Mon, Jan 04, 2016 at 09:20:06PM +0000, Serge Hallyn wrote:
> Closes #1459
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> src/lxc/lsm/apparmor.c | 38 +++++++++++++++++++++++++++++++++++---
> 1 file changed, 35 insertions(+), 3 deletions(-)
>
> diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> index d78bd7a..39324ce 100644
> --- a/src/lxc/lsm/apparmor.c
> +++ b/src/lxc/lsm/apparmor.c
> @@ -127,12 +127,31 @@ again:
> return buf;
> }
>
> -static int apparmor_am_unconfined(void)
> +/*
> + * Probably makes sense to reorganize these to only read
> + * the label once
> + */
> +static bool apparmor_am_unconfined(void)
> {
> char *p = apparmor_process_label_get(getpid());
> - int ret = 0;
> + bool ret = false;
> if (!p || strcmp(p, "unconfined") == 0)
> - ret = 1;
> + ret = true;
> + free(p);
> + return ret;
> +}
> +
> +/* aa stacking is not yet supported */
> +static bool aa_stacking_supported(void) {
> + return false;
> +}
> +
> +/* are we in a confined container? */
> +static bool in_aa_confined_container(void) {
> + char *p = apparmor_process_label_get(getpid());
> + bool ret = false;
> + if (p && strcmp(p, "/usr/bin/lxc-start") != 0)
> + ret = true;
> free(p);
> return ret;
> }
> @@ -163,6 +182,19 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
> return 0;
> }
>
> + /*
> + * If we are already confined and no profile was requested,
> + * then default to unchanged
> + */
> + if (in_aa_confined_container() && !aa_stacking_supported()) {
> + if (label) {
> + ERROR("already apparmor confined, but new label requested.");
> + return -1;
> + }
> + INFO("Already apparmor-confined");
> + return 0;
> + }
> +
> if (!label) {
> if (use_default)
> label = AA_DEF_PROFILE;
> --
> 2.5.0
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160104/78f6396f/attachment.sig>
More information about the lxc-devel
mailing list