]> git.ipfire.org Git - thirdparty/lxc.git/commitdiff
projects / thirdparty / lxc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: db5751a)
apparmor: support lxc.aa_profile = unchanged
authorSerge Hallyn <serge.hallyn@ubuntu.com>
Wed, 25 Nov 2015 20:45:08 +0000 (20:45 +0000)
committerStéphane Graber <stgraber@ubuntu.com>
Thu, 17 Nov 2016 22:20:28 +0000 (17:20 -0500)
In which case lxc will not update the apparmor profile at all.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
src/lxc/lsm/apparmor.c patch | blob | blame | history

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 1574814199e38ba75e726a2a29023d35959c0038..d62c3ccf0a49bf84e8d58c1aa2d9875d97850a27 100644 (file)
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -38,6 +38,7 @@ static int aa_enabled = 0;
 #define AA_DEF_PROFILE "lxc-container-default"
 #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
 #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
+#define AA_UNCHANGED "unchanged"
 
 /* aa_getcon is not working right now.  Use our hand-rolled version below */
 static int apparmor_enabled(void)
@@ -135,6 +136,12 @@ static int apparmor_process_label_set(const char *label, int use_default,
        if (!aa_enabled)
                return 0;
 
+       /* user may request that we just ignore apparmor */
+       if (label && strcmp(label, AA_UNCHANGED) == 0) {
+               INFO("apparmor profile unchanged per user request");
+               return 0;
+       }
+
        if (!label) {
                if (use_default)
                        label = AA_DEF_PROFILE;
Mirror of https://github.com/lxc/lxc.git