[lxc-devel] [PATCH] Don't try to change aa label if we are already apparmor-confined

Stéphane Graber stgraber at ubuntu.com
Mon Jan 4 21:50:01 UTC 2016


On Mon, Jan 04, 2016 at 09:20:06PM +0000, Serge Hallyn wrote:
> Closes #1459
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/lsm/apparmor.c | 38 +++++++++++++++++++++++++++++++++++---
>  1 file changed, 35 insertions(+), 3 deletions(-)
> 
> diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> index d78bd7a..39324ce 100644
> --- a/src/lxc/lsm/apparmor.c
> +++ b/src/lxc/lsm/apparmor.c
> @@ -127,12 +127,31 @@ again:
>  	return buf;
>  }
>  
> -static int apparmor_am_unconfined(void)
> +/*
> + * Probably makes sense to reorganize these to only read
> + * the label once
> + */
> +static bool apparmor_am_unconfined(void)
>  {
>  	char *p = apparmor_process_label_get(getpid());
> -	int ret = 0;
> +	bool ret = false;
>  	if (!p || strcmp(p, "unconfined") == 0)
> -		ret = 1;
> +		ret = true;
> +	free(p);
> +	return ret;
> +}
> +
> +/* aa stacking is not yet supported */
> +static bool aa_stacking_supported(void) {
> +	return false;
> +}
> +
> +/* are we in a confined container? */
> +static bool in_aa_confined_container(void) {
> +	char *p = apparmor_process_label_get(getpid());
> +	bool ret = false;
> +	if (p && strcmp(p, "/usr/bin/lxc-start") != 0)
> +		ret = true;
>  	free(p);
>  	return ret;
>  }
> @@ -163,6 +182,19 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
>  		return 0;
>  	}
>  
> +	/*
> +	 * If we are already confined and no profile was requested,
> +	 * then default to unchanged
> +	 */
> +	if (in_aa_confined_container() && !aa_stacking_supported()) {
> +		if (label) {
> +			ERROR("already apparmor confined, but new label requested.");
> +			return -1;
> +		}
> +		INFO("Already apparmor-confined");
> +		return 0;
> +	}
> +
>  	if (!label) {
>  		if (use_default)
>  			label = AA_DEF_PROFILE;
> -- 
> 2.5.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160104/78f6396f/attachment.sig>


More information about the lxc-devel mailing list