re-add onexec for apparmor, move label assumption until after container has been...

Signed-off-by: Ian Merin <Ian.Merin@ncipher.com>

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 8f2f7a37c3a5e27667ed9db12ada1d12c8cb5f85..b8e7147ec95aa9a8735ae3c4e425a75c7a5eb703 100644 (file)
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1261,19 +1261,6 @@ __noreturn static void do_attach(struct attach_payload *ap)
                if (!lxc_switch_uid_gid(ctx->setup_ns_uid, ctx->setup_ns_gid))
                        goto on_error;
 
-       if (attach_lsm(options) && ctx->lsm_label) {
-               bool on_exec;
-
-               /* Change into our new LSM profile. */
-               on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false;
-               ret = ctx->lsm_ops->process_label_set_at(ctx->lsm_ops, fd_lsm, ctx->lsm_label, on_exec);
-               close_prot_errno_disarm(fd_lsm);
-               if (ret < 0)
-                       goto on_error;
-
-               TRACE("Set %s LSM label to \"%s\"", ctx->lsm_ops->name, ctx->lsm_label);
-       }
-
        if (conf->no_new_privs || (options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) {
                ret = prctl(PR_SET_NO_NEW_PRIVS, prctl_arg(1), prctl_arg(0),
                            prctl_arg(0), prctl_arg(0));
@@ -1367,6 +1354,19 @@ __noreturn static void do_attach(struct attach_payload *ap)
        if (!lxc_switch_uid_gid(ctx->target_ns_uid, ctx->target_ns_gid))
                goto on_error;
 
+       if (attach_lsm(options) && ctx->lsm_label) {
+               bool on_exec;
+
+               /* Change into our new LSM profile. */
+               on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false;
+               ret = ctx->lsm_ops->process_label_set_at(ctx->lsm_ops, fd_lsm, ctx->lsm_label, on_exec);
+               close_prot_errno_disarm(fd_lsm);
+               if (ret < 0)
+                       goto on_error;
+
+               TRACE("Set %s LSM label to \"%s\"", ctx->lsm_ops->name, ctx->lsm_label);
+       }
+
        put_attach_payload(ap);
 
        /* We're done, so we can now do whatever the user intended us to do. */

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index d6516ae9f5dbe54909801ae7e1dd156876b3ad12..fb67d29caddaf70d1050b65a96324fff5771ace3 100644 (file)
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -5,6 +5,7 @@
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <sys/apparmor.h>
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -1212,15 +1213,17 @@ static int apparmor_process_label_set(struct lsm_ops *ops, const char *inlabel,
        if (strequal(label, "unconfined") && apparmor_am_unconfined(ops))
                return log_info(0, "AppArmor profile unchanged");
 
-       label_fd = apparmor_process_label_fd_get(ops, lxc_raw_gettid(), on_exec);
-       if (label_fd < 0)
-               return log_error_errno(-EINVAL, EINVAL, "Failed to change AppArmor profile to %s", label);
-
-       ret = apparmor_process_label_set_at(ops, label_fd, label, on_exec);
-       if (ret < 0)
-               return log_error_errno(-EINVAL, EINVAL, "Failed to change AppArmor profile to %s", label);
-
-       return log_info(0, "Changed AppArmor profile to %s", label);
+       if (on_exec) {
+               ret = aa_change_onexec(label);
+       } else {
+               ret = aa_change_profile(label);
+       }
+       
+       if (ret < 0)
+               return log_error_errno(-1, errno, "Failed to set AppArmor%s context to \"%s\"",
+                                      on_exec ? " exec" : "", label);
+       
+       return log_info(0, "Changed AppArmor%s profile to \"%s\"", on_exec ? " exec" : "", label);
 }
 
 static struct lsm_ops apparmor_ops = {