apparmor: make sure sysfs and securityfs are mounted when checking for mount feature

Otherwise the check will return false if securityfs was not mounted
by the container's configuration.  In the past we let that quietly
proceed, but unconfined.  Now that we restrict such container
starts, this caused lxc-test-apparmor to fail.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 8de011505a5697f3da4646f0028c99dbf0b3eee5..907fdd3aece5159f2929adc715de612140433a69 100644 (file)
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -26,6 +26,7 @@
 #include <sys/stat.h>
 #include <sys/mount.h>
 #include <sys/apparmor.h>
+#include <sys/vfs.h>
 
 #include "log.h"
 #include "lsm/lsm.h"
@@ -40,14 +41,39 @@ static int aa_enabled = 0;
 #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
 #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
 
-static int mount_feature_enabled(void)
+static bool mount_feature_enabled(void)
 {
        struct stat statbuf;
+       struct statfs sf;
        int ret;
+       bool mountedsys = false, mountedk = false, bret = true;
+
+       ret = statfs("/sys", &sf);
+       if (ret < 0 || sf.f_type != 0x62656572) {
+               if (mount("sysfs", "/sys", "sysfs", 0, NULL) < 0) {
+                       SYSERROR("Error mounting sysfs");
+                       return false;
+               }
+               mountedsys = true;
+       }
+       if (stat("/sys/kernel/security/apparmor", &statbuf) < 0) {
+               if (mount("securityfs", "/sys/kernel/security", "securityfs", 0, NULL) < 0) {
+                       SYSERROR("Error mounting securityfs");
+                       if (mountedsys)
+                               umount2("/sys", MNT_DETACH);
+                       return false;
+               }
+               mountedk = true;
+       }
        ret = stat(AA_MOUNT_RESTR, &statbuf);
        if (ret != 0)
-               return 0;
-       return 1;
+               bret = false;
+
+       if (mountedk)
+               umount2("/sys/kernel/security", MNT_DETACH);
+       if (mountedsys)
+               umount2("/sys", MNT_DETACH);
+       return bret;
 }
 
 /* aa_getcon is not working right now.  Use our hand-rolled version below */