[Lxc-users] lxc lsm support

Serge Hallyn serge.hallyn at canonical.com
Mon Mar 19 21:02:29 UTC 2012


Hi,

I have a patch (core patch appended fyi, see
lp:~serge-hallyn/ubuntu/precise/lxc/lxc-aa for the full set of package
changes) to make lxc-start switch to a apparmor profile specified in the
container config (with lxc.aa_profile).  Making this support selinux and
smack as well should be pretty trivial - but testing that properly will
not be.

After April I will extend this patch to support selinux and smack
(and test it) and push a patch upstream.  In the meantime, I intend
to carry this as a delta in ubuntu.  However, if someone has the time
and inclination to work on it beforehand, that's great.  Comments of
course are appreciated.

thanks,
-serge

Description: support per-container apparmor profiles
 It doesn't yet support selinux or smack.
Author: Serge Hallyn <serge.hallyn at canonical.com>
Forwarded: no

Index: lxc-aa/src/lxc/conf.h
===================================================================
--- lxc-aa.orig/src/lxc/conf.h	2012-03-18 22:32:12.425570000 -0500
+++ lxc-aa/src/lxc/conf.h	2012-03-18 22:40:07.198440851 -0500
@@ -193,6 +193,7 @@
  * @tty_info   : tty data
  * @console    : console data
  * @ttydir     : directory (under /dev) in which to create console and ttys
+ * @aa_profile : apparmor profile to switch to
  */
 struct lxc_conf {
 	char *fstab;
@@ -211,6 +212,7 @@
 	struct lxc_rootfs rootfs;
 	char *ttydir;
 	int close_all_fds;
+	char *aa_profile;
 };
 
 /*
Index: lxc-aa/src/lxc/start.c
===================================================================
--- lxc-aa.orig/src/lxc/start.c	2012-03-18 22:32:12.425570000 -0500
+++ lxc-aa/src/lxc/start.c	2012-03-19 10:05:05.549360259 -0500
@@ -546,6 +546,17 @@
 
 	close(handler->sigfd);
 
+#define AA_DEF_PROFILE "lxc-container-default"
+
+	if (!handler->conf->aa_profile)
+		handler->conf->aa_profile = AA_DEF_PROFILE;
+
+	if (aa_change_profile(handler->conf->aa_profile) < 0) {
+		SYSERROR("failed to change apparmor profile to %s\n", handler->conf->aa_profile);
+		return -1;
+	}
+	INFO("changed apparmor profile to %s\n", handler->conf->aa_profile);
+
 	/* after this call, we are in error because this
 	 * ops should not return as it execs */
 	if (handler->ops->start(handler, handler->data))
Index: lxc-aa/src/lxc/conf.c
===================================================================
--- lxc-aa.orig/src/lxc/conf.c	2012-03-18 22:32:12.425570000 -0500
+++ lxc-aa/src/lxc/conf.c	2012-03-18 22:40:36.754587413 -0500
@@ -1523,6 +1523,7 @@
 	lxc_list_init(&new->network);
 	lxc_list_init(&new->mount_list);
 	lxc_list_init(&new->caps);
+	new->aa_profile = NULL;
 
 	return new;
 }
Index: lxc-aa/src/lxc/confile.c
===================================================================
--- lxc-aa.orig/src/lxc/confile.c	2012-03-18 22:32:12.425570000 -0500
+++ lxc-aa/src/lxc/confile.c	2012-03-18 22:49:44.054169567 -0500
@@ -48,6 +48,7 @@
 static int config_pts(const char *, char *, struct lxc_conf *);
 static int config_tty(const char *, char *, struct lxc_conf *);
 static int config_ttydir(const char *, char *, struct lxc_conf *);
+static int config_aa_profile(const char *, char *, struct lxc_conf *);
 static int config_cgroup(const char *, char *, struct lxc_conf *);
 static int config_mount(const char *, char *, struct lxc_conf *);
 static int config_rootfs(const char *, char *, struct lxc_conf *);
@@ -82,6 +83,7 @@
 	{ "lxc.pts",                  config_pts                  },
 	{ "lxc.tty",                  config_tty                  },
 	{ "lxc.devttydir",            config_ttydir               },
+	{ "lxc.aa_profile",            config_aa_profile          },
 	{ "lxc.cgroup",               config_cgroup               },
 	{ "lxc.mount",                config_mount                },
 	{ "lxc.rootfs.mount",         config_rootfs_mount         },
@@ -571,6 +573,24 @@
 
 	return 0;
 }
+
+static int config_aa_profile(const char *key, char *value,
+			  struct lxc_conf *lxc_conf)
+{
+	char *path;
+
+	if (!value || strlen(value) == 0)
+		return 0;
+	path = strdup(value);
+	if (!path) {
+		SYSERROR("failed to strdup '%s': %m", value);
+		return -1;
+	}
+
+	lxc_conf->aa_profile = path;
+
+	return 0;
+}
 
 static int config_cgroup(const char *key, char *value, struct lxc_conf *lxc_conf)
 {
Index: lxc-aa/src/lxc/Makefile.am
===================================================================
--- lxc-aa.orig/src/lxc/Makefile.am	2012-03-18 22:32:12.425570000 -0500
+++ lxc-aa/src/lxc/Makefile.am	2012-03-19 08:58:45.969626599 -0500
@@ -60,7 +60,7 @@
 	-shared \
 	-Wl,-soname,liblxc.so.$(firstword $(subst ., ,$(VERSION)))
 
-liblxc_so_LDADD = -lutil $(CAP_LIBS)
+liblxc_so_LDADD = -lutil $(CAP_LIBS) -lapparmor
 
 bin_SCRIPTS = \
 	lxc-ps \
@@ -95,7 +95,7 @@
 	lxc-init
 
 AM_LDFLAGS=-Wl,-E -Wl,-rpath -Wl,$(libdir)
-LDADD=liblxc.so @CAP_LIBS@
+LDADD=liblxc.so @CAP_LIBS@ -lapparmor
 
 lxc_attach_SOURCES = lxc_attach.c
 lxc_cgroup_SOURCES = lxc_cgroup.c
Index: lxc-aa/src/lxc/Makefile.in
===================================================================
--- lxc-aa.orig/src/lxc/Makefile.in	2012-03-18 22:32:12.425570000 -0500
+++ lxc-aa/src/lxc/Makefile.in	2012-03-19 08:59:01.873705454 -0500
@@ -368,7 +368,7 @@
 	-shared \
 	-Wl,-soname,liblxc.so.$(firstword $(subst ., ,$(VERSION)))
 
-liblxc_so_LDADD = -lutil $(CAP_LIBS)
+liblxc_so_LDADD = -lutil $(CAP_LIBS) -lapparmor
 bin_SCRIPTS = \
 	lxc-ps \
 	lxc-netstat \
@@ -382,7 +382,7 @@
 	lxc-destroy
 
 AM_LDFLAGS = -Wl,-E -Wl,-rpath -Wl,$(libdir)
-LDADD = liblxc.so @CAP_LIBS@
+LDADD = liblxc.so @CAP_LIBS@ -lapparmor
 lxc_attach_SOURCES = lxc_attach.c
 lxc_cgroup_SOURCES = lxc_cgroup.c
 lxc_checkpoint_SOURCES = lxc_checkpoint.c




More information about the lxc-users mailing list