[lxc-devel] [lxc/master] hooks: fix dhclient hook when an AppArmor profile is active
flx42 on Github
lxc-bot at linuxcontainers.org
Fri Mar 23 17:48:01 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 365 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180323/dbd90464/attachment.bin>
-------------- next part --------------
From 41be52e8ab9e3992eacf6fcf3d9b7de968039665 Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Fri, 23 Mar 2018 10:47:35 -0700
Subject: [PATCH] hooks: fix dhclient hook when an AppArmor profile is active
Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
hooks/dhclient.in | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/hooks/dhclient.in b/hooks/dhclient.in
index d92107c5f..df5640e9d 100755
--- a/hooks/dhclient.in
+++ b/hooks/dhclient.in
@@ -26,6 +26,15 @@ usage() {
echo "Usage: ${0##*/} <name> lxc {start-host|stop}"
}
+# Wrap the dhclient command with "aa-exec -p unconfined" if AppArmor is enabled.
+dhclient() {
+ bin="/sbin/dhclient"
+ if [ -d "/sys/kernel/security/apparmor" ] && which aa-exec >/dev/null; then
+ bin="aa-exec -p unconfined ${bin}"
+ fi
+ echo $bin
+}
+
dhclient_start() {
ns_args=("--uts" "--net")
if [ -z "$(readlink /proc/${LXC_PID}/ns/user /proc/self/ns/user | uniq -d)" ]; then
@@ -39,7 +48,7 @@ dhclient_start() {
else
echo "INFO: Starting DHCP client and acquiring a lease..." >> "${debugfile}"
nsenter ${ns_args[@]} --target "${LXC_PID}" -- \
- /sbin/dhclient -1 ${conffile_arg} -pf "${pidfile}" -lf "${leasefile}" -e "ROOTFS=${rootfs_path}" -sf "${LXC_DHCP_SCRIPT}" -v >> "${debugfile}" 2>&1
+ $(dhclient) -1 ${conffile_arg} -pf "${pidfile}" -lf "${leasefile}" -e "ROOTFS=${rootfs_path}" -sf "${LXC_DHCP_SCRIPT}" -v >> "${debugfile}" 2>&1
fi
}
@@ -63,7 +72,7 @@ dhclient_stop() {
if [ -e "${pidfile}" ]; then
echo "INFO: Stopping DHCP client and releasing leases..." >> "${debugfile}"
nsenter ${ns_args[@]} -- \
- /sbin/dhclient -r ${conffile_arg} -pf "${pidfile}" -lf "${leasefile}" -e "ROOTFS=${rootfs_path}" -sf "${LXC_DHCP_SCRIPT}" -v >> "${debugfile}" 2>&1
+ $(dhclient) -r ${conffile_arg} -pf "${pidfile}" -lf "${leasefile}" -e "ROOTFS=${rootfs_path}" -sf "${LXC_DHCP_SCRIPT}" -v >> "${debugfile}" 2>&1
else
echo "WARN: DHCP client is not running, skipping stop hook." >> "${debugfile}"
fi
More information about the lxc-devel
mailing list