apparmor: cache the are-we-enabled decision

Since we check /sys/kernel/security/ files when deciding whether
apparmor is enabled, and that might not be mounted in the container,
we cannot re-make the decision at apparmor_process_label_set() time.
Luckily we don't have to - just cache the decision made at
lsm_apparmor_drv_init().

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index cf8020d1fc377f5823a06bd7234bfca0b664f181..aaf80568df3b1142d377f28da979ba721ef1b395 100644 (file)
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -32,6 +32,9 @@
 
 lxc_log_define(lxc_apparmor, lxc);
 
+/* set by lsm_apparmor_drv_init if true */
+static int aa_enabled = 0;
+
 #define AA_DEF_PROFILE "lxc-container-default"
 #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
 #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
@@ -139,7 +142,7 @@ static int apparmor_am_unconfined(void)
 static int apparmor_process_label_set(const char *label, int use_default,
                                      int on_exec)
 {
-       if (!apparmor_enabled())
+       if (!aa_enabled)
                return 0;
 
        if (!label) {
@@ -181,5 +184,6 @@ struct lsm_drv *lsm_apparmor_drv_init(void)
 {
        if (!apparmor_enabled())
                return NULL;
+       aa_enabled = 1;
        return &apparmor_drv;
 }