[Lxc-users] lxc lsm support
Serge Hallyn
serge.hallyn at canonical.com
Mon Mar 19 21:02:29 UTC 2012
Hi,
I have a patch (core patch appended fyi, see
lp:~serge-hallyn/ubuntu/precise/lxc/lxc-aa for the full set of package
changes) to make lxc-start switch to a apparmor profile specified in the
container config (with lxc.aa_profile). Making this support selinux and
smack as well should be pretty trivial - but testing that properly will
not be.
After April I will extend this patch to support selinux and smack
(and test it) and push a patch upstream. In the meantime, I intend
to carry this as a delta in ubuntu. However, if someone has the time
and inclination to work on it beforehand, that's great. Comments of
course are appreciated.
thanks,
-serge
Description: support per-container apparmor profiles
It doesn't yet support selinux or smack.
Author: Serge Hallyn <serge.hallyn at canonical.com>
Forwarded: no
Index: lxc-aa/src/lxc/conf.h
===================================================================
--- lxc-aa.orig/src/lxc/conf.h 2012-03-18 22:32:12.425570000 -0500
+++ lxc-aa/src/lxc/conf.h 2012-03-18 22:40:07.198440851 -0500
@@ -193,6 +193,7 @@
* @tty_info : tty data
* @console : console data
* @ttydir : directory (under /dev) in which to create console and ttys
+ * @aa_profile : apparmor profile to switch to
*/
struct lxc_conf {
char *fstab;
@@ -211,6 +212,7 @@
struct lxc_rootfs rootfs;
char *ttydir;
int close_all_fds;
+ char *aa_profile;
};
/*
Index: lxc-aa/src/lxc/start.c
===================================================================
--- lxc-aa.orig/src/lxc/start.c 2012-03-18 22:32:12.425570000 -0500
+++ lxc-aa/src/lxc/start.c 2012-03-19 10:05:05.549360259 -0500
@@ -546,6 +546,17 @@
close(handler->sigfd);
+#define AA_DEF_PROFILE "lxc-container-default"
+
+ if (!handler->conf->aa_profile)
+ handler->conf->aa_profile = AA_DEF_PROFILE;
+
+ if (aa_change_profile(handler->conf->aa_profile) < 0) {
+ SYSERROR("failed to change apparmor profile to %s\n", handler->conf->aa_profile);
+ return -1;
+ }
+ INFO("changed apparmor profile to %s\n", handler->conf->aa_profile);
+
/* after this call, we are in error because this
* ops should not return as it execs */
if (handler->ops->start(handler, handler->data))
Index: lxc-aa/src/lxc/conf.c
===================================================================
--- lxc-aa.orig/src/lxc/conf.c 2012-03-18 22:32:12.425570000 -0500
+++ lxc-aa/src/lxc/conf.c 2012-03-18 22:40:36.754587413 -0500
@@ -1523,6 +1523,7 @@
lxc_list_init(&new->network);
lxc_list_init(&new->mount_list);
lxc_list_init(&new->caps);
+ new->aa_profile = NULL;
return new;
}
Index: lxc-aa/src/lxc/confile.c
===================================================================
--- lxc-aa.orig/src/lxc/confile.c 2012-03-18 22:32:12.425570000 -0500
+++ lxc-aa/src/lxc/confile.c 2012-03-18 22:49:44.054169567 -0500
@@ -48,6 +48,7 @@
static int config_pts(const char *, char *, struct lxc_conf *);
static int config_tty(const char *, char *, struct lxc_conf *);
static int config_ttydir(const char *, char *, struct lxc_conf *);
+static int config_aa_profile(const char *, char *, struct lxc_conf *);
static int config_cgroup(const char *, char *, struct lxc_conf *);
static int config_mount(const char *, char *, struct lxc_conf *);
static int config_rootfs(const char *, char *, struct lxc_conf *);
@@ -82,6 +83,7 @@
{ "lxc.pts", config_pts },
{ "lxc.tty", config_tty },
{ "lxc.devttydir", config_ttydir },
+ { "lxc.aa_profile", config_aa_profile },
{ "lxc.cgroup", config_cgroup },
{ "lxc.mount", config_mount },
{ "lxc.rootfs.mount", config_rootfs_mount },
@@ -571,6 +573,24 @@
return 0;
}
+
+static int config_aa_profile(const char *key, char *value,
+ struct lxc_conf *lxc_conf)
+{
+ char *path;
+
+ if (!value || strlen(value) == 0)
+ return 0;
+ path = strdup(value);
+ if (!path) {
+ SYSERROR("failed to strdup '%s': %m", value);
+ return -1;
+ }
+
+ lxc_conf->aa_profile = path;
+
+ return 0;
+}
static int config_cgroup(const char *key, char *value, struct lxc_conf *lxc_conf)
{
Index: lxc-aa/src/lxc/Makefile.am
===================================================================
--- lxc-aa.orig/src/lxc/Makefile.am 2012-03-18 22:32:12.425570000 -0500
+++ lxc-aa/src/lxc/Makefile.am 2012-03-19 08:58:45.969626599 -0500
@@ -60,7 +60,7 @@
-shared \
-Wl,-soname,liblxc.so.$(firstword $(subst ., ,$(VERSION)))
-liblxc_so_LDADD = -lutil $(CAP_LIBS)
+liblxc_so_LDADD = -lutil $(CAP_LIBS) -lapparmor
bin_SCRIPTS = \
lxc-ps \
@@ -95,7 +95,7 @@
lxc-init
AM_LDFLAGS=-Wl,-E -Wl,-rpath -Wl,$(libdir)
-LDADD=liblxc.so @CAP_LIBS@
+LDADD=liblxc.so @CAP_LIBS@ -lapparmor
lxc_attach_SOURCES = lxc_attach.c
lxc_cgroup_SOURCES = lxc_cgroup.c
Index: lxc-aa/src/lxc/Makefile.in
===================================================================
--- lxc-aa.orig/src/lxc/Makefile.in 2012-03-18 22:32:12.425570000 -0500
+++ lxc-aa/src/lxc/Makefile.in 2012-03-19 08:59:01.873705454 -0500
@@ -368,7 +368,7 @@
-shared \
-Wl,-soname,liblxc.so.$(firstword $(subst ., ,$(VERSION)))
-liblxc_so_LDADD = -lutil $(CAP_LIBS)
+liblxc_so_LDADD = -lutil $(CAP_LIBS) -lapparmor
bin_SCRIPTS = \
lxc-ps \
lxc-netstat \
@@ -382,7 +382,7 @@
lxc-destroy
AM_LDFLAGS = -Wl,-E -Wl,-rpath -Wl,$(libdir)
-LDADD = liblxc.so @CAP_LIBS@
+LDADD = liblxc.so @CAP_LIBS@ -lapparmor
lxc_attach_SOURCES = lxc_attach.c
lxc_cgroup_SOURCES = lxc_cgroup.c
lxc_checkpoint_SOURCES = lxc_checkpoint.c
More information about the lxc-users
mailing list