hooks: fix nvidia hook when running under the lxc-start AppArmor profile

For a reason that I don't understand, the profile transition needs to
be done on the current process. Changing the attributes for a
subsequent execve(2) (with /proc/self/attr/exec) will cause the kernel
to set AT_SECURE in the auxiliary vector and thus secure_getenv(3)
inside libnvidia-container will return NULL.

Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

diff --git a/hooks/nvidia b/hooks/nvidia
index fbe05626c27355131e6280975491c9a9dddc493d..185b0ed4afab991d47f61b02d4dc2097e7cbf473 100755 (executable)
--- a/hooks/nvidia
+++ b/hooks/nvidia
@@ -235,5 +235,10 @@ if [ "${CLI_DISABLE_REQUIRE}" = "false" ]; then
     done
 fi
 
+if [ -d "/sys/kernel/security/apparmor" ]; then
+    # Try to transition to the unconfined AppArmor profile.
+    echo "changeprofile unconfined" > /proc/self/attr/current || true
+fi
+
 set -x
 exec nvidia-container-cli ${global_args[@]} configure ${configure_args[@]} "${LXC_ROOTFS_MOUNT}"