]> git.ipfire.org Git - thirdparty/lxc.git/commitdiff
projects / thirdparty / lxc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 84b3775)
systemd: Load AppArmor profiles if necessary/supported
authorMartin Pitt <martin.pitt@ubuntu.com>
Fri, 1 Aug 2014 05:00:34 +0000 (07:00 +0200)
committerStéphane Graber <stgraber@ubuntu.com>
Mon, 4 Aug 2014 19:24:39 +0000 (15:24 -0400)
On Ubuntu we need to set up the AppArmor profiles also under systemd.
Add a new helper "lxc-apparmor-load" and integrate it into lxc.service.

Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
config/init/systemd/Makefile.am patch | blob | blame | history
config/init/systemd/lxc-apparmor-load [new file with mode: 0755] patch | blob
config/init/systemd/lxc.service.in patch | blob | blame | history

diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am
index ed1e4ef745eb4d1c82447373c9f082abc8559706..5959cd85aee858fa2c28ef085b25fbe9888dbc5c 100644 (file)
--- a/config/init/systemd/Makefile.am
+++ b/config/init/systemd/Makefile.am
@@ -1,5 +1,6 @@
 EXTRA_DIST = \
        lxc-devsetup \
+       lxc-apparmor-load \
        lxc.service.in \
        lxc-net.service.in \
        $(NULL)
@@ -15,7 +16,7 @@ lxc-autostart-helper: ../sysvinit/lxc.in $(top_builddir)/config.status
            mv $@-t $@
 BUILT_SOURCES = lxc-autostart-helper lxc.service lxc-net.service
 
-install-systemd: lxc.service lxc-net.service lxc-devsetup lxc-autostart-helper
+install-systemd: lxc.service lxc-net.service lxc-devsetup lxc-apparmor-load lxc-autostart-helper
        $(MKDIR_P) $(DESTDIR)$(SYSTEMD_UNIT_DIR)
        $(INSTALL_DATA) lxc.service lxc-net.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/
 
@@ -24,7 +25,7 @@ uninstall-systemd:
        rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-net.service
        rmdir $(DESTDIR)$(SYSTEMD_UNIT_DIR) || :
 
-pkglibexec_SCRIPTS = lxc-devsetup lxc-autostart-helper
+pkglibexec_SCRIPTS = lxc-devsetup lxc-apparmor-load lxc-autostart-helper
 
 install-data-local: install-systemd
 uninstall-local: uninstall-systemd
diff --git a/config/init/systemd/lxc-apparmor-load b/config/init/systemd/lxc-apparmor-load
new file mode 100755 (executable)
index 0000000..4ac9496
--- /dev/null
+++ b/config/init/systemd/lxc-apparmor-load
@@ -0,0 +1,14 @@
+#!/bin/sh
+# lxc-apparmor-load: Load AppArmor profiles, if supported by the system
+
+set -eu
+
+# don't load profiles if mount mediation is not supported
+SYSF=/sys/kernel/security/apparmor/features/mount/mask
+if [ -f $SYSF ]; then
+       if [ -x /lib/init/apparmor-profile-load ]; then
+               /lib/init/apparmor-profile-load usr.bin.lxc-start
+               /lib/init/apparmor-profile-load lxc-containers
+       fi
+fi
+
diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in
index c7f2813a78381e845d2d7ff13858f5619055fd3b..f64610f7cc5accd2d0858a13873a7891ec3ba90c 100644 (file)
--- a/config/init/systemd/lxc.service.in
+++ b/config/init/systemd/lxc.service.in
@@ -7,6 +7,7 @@ Wants=lxc-net.service
 Type=oneshot
 RemainAfterExit=yes
 ExecStartPre=@LIBEXECDIR@/lxc/lxc-devsetup
+ExecStartPre=@LIBEXECDIR@/lxc/lxc-apparmor-load
 ExecStart=@LIBEXECDIR@/lxc/lxc-autostart-helper start
 ExecStop=@LIBEXECDIR@/lxc/lxc-autostart-helper stop
 # Environment=BOOTUP=serial
Mirror of https://github.com/lxc/lxc.git