Don't try to change aa label if we are already apparmor-confined

author Serge Hallyn <serge.hallyn@ubuntu.com>

Mon, 4 Jan 2016 21:20:06 +0000 (21:20 +0000)

committer Stéphane Graber <stgraber@ubuntu.com>

Mon, 4 Jan 2016 21:51:08 +0000 (16:51 -0500)
author Serge Hallyn <serge.hallyn@ubuntu.com>
Mon, 4 Jan 2016 21:20:06 +0000 (21:20 +0000)
committer Stéphane Graber <stgraber@ubuntu.com>
Mon, 4 Jan 2016 21:51:08 +0000 (16:51 -0500)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c

index d78bd7a02dd9dc706f3eaa18adabbbb989f297ac..43a093e3d57eee6688b71737b8ed5e2e7c989a6f 100644 (file)
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -127,12 +127,31 @@ again:
         return buf;
  }
  
-static int apparmor_am_unconfined(void)
+/*
+ * Probably makes sense to reorganize these to only read
+ * the label once
+ */
+static bool apparmor_am_unconfined(void)
  {
         char *p = apparmor_process_label_get(getpid());
-       int ret = 0;
+       bool ret = false;
         if (!p || strcmp(p, "unconfined") == 0)
-               ret = 1;
+               ret = true;
+       free(p);
+       return ret;
+}
+
+/* aa stacking is not yet supported */
+static bool aa_stacking_supported(void) {
+       return false;
+}
+
+/* are we in a confined container? */
+static bool in_aa_confined_container(void) {
+       char *p = apparmor_process_label_get(getpid());
+       bool ret = false;
+       if (p && strcmp(p, "/usr/bin/lxc-start") != 0)
+               ret = true;
         free(p);
         return ret;
  }
@@ -163,6 +182,19 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
                 return 0;
         }
  
+       /*
+        * If we are already confined and no profile was requested,
+        * then default to unchanged
+        */
+       if (in_aa_confined_container() && !aa_stacking_supported()) {
+               if (label) {
+                       ERROR("already apparmor confined, but new label requested.");
+                       return -1;
+               }
+               INFO("Already apparmor-confined");
+               return 0;
+       }
+
         if (!label) {
                 if (use_default)
                         label = AA_DEF_PROFILE;
author	Serge Hallyn <serge.hallyn@ubuntu.com>
	Mon, 4 Jan 2016 21:20:06 +0000 (21:20 +0000)
committer	Stéphane Graber <stgraber@ubuntu.com>
	Mon, 4 Jan 2016 21:51:08 +0000 (16:51 -0500)