c/r: use --lsm-profile if provided

Since we can rename a container on a migrate, let's tell CRIU to use the
LSM profile name the user has specified. This change is motivated by LXD,
which sets an LSM profile name based on the container name, so if a user
changes the name of a container during migration, the old profile name
(that criu has saved) won't exist on the new host.

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 74c47723bafcc63dc15ab73a4c797101dd65703b..0a0392f6dc5e6b0eb10a6a468a4e97e3f31f92bc 100644 (file)
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -89,8 +89,10 @@ void exec_criu(struct criu_opts *opts)
                        static_args++;
        } else if (strcmp(opts->action, "restore") == 0) {
                /* --root $(lxc_mount_point) --restore-detached
-                * --restore-sibling --pidfile $foo --cgroup-root $foo */
-               static_args += 8;
+                * --restore-sibling --pidfile $foo --cgroup-root $foo
+                * --lsm-profile apparmor:whatever
+                */
+               static_args += 10;
        } else {
                return;
        }
@@ -184,6 +186,7 @@ void exec_criu(struct criu_opts *opts)
        } else if (strcmp(opts->action, "restore") == 0) {
                void *m;
                int additional;
+               struct lxc_conf *lxc_conf = opts->c->lxc_conf;
 
                DECLARE_ARG("--root");
                DECLARE_ARG(opts->c->lxc_conf->rootfs.mount);
@@ -194,6 +197,20 @@ void exec_criu(struct criu_opts *opts)
                DECLARE_ARG("--cgroup-root");
                DECLARE_ARG(opts->cgroup_path);
 
+               if (lxc_conf->lsm_aa_profile || lxc_conf->lsm_se_context) {
+
+                       if (lxc_conf->lsm_aa_profile)
+                               ret = snprintf(buf, sizeof(buf), "apparmor:%s", lxc_conf->lsm_aa_profile);
+                       else
+                               ret = snprintf(buf, sizeof(buf), "selinux:%s", lxc_conf->lsm_se_context);
+
+                       if (ret < 0 || ret >= sizeof(buf))
+                               goto err;
+
+                       DECLARE_ARG("--lsm-profile");
+                       DECLARE_ARG(buf);
+               }
+
                additional = lxc_list_len(&opts->c->lxc_conf->network) * 2;
 
                m = realloc(argv, (argc + additional + 1) * sizeof(*argv));