Don't try to change aa label if we are already apparmor-confined

Closes #1459

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index d62c3ccf0a49bf84e8d58c1aa2d9875d97850a27..60863cda10b410f4c46a116fb58886bfd0ba5657 100644 (file)
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -109,12 +109,31 @@ again:
        return buf;
 }
 
-static int apparmor_am_unconfined(void)
+/*
+ * Probably makes sense to reorganize these to only read
+ * the label once
+ */
+static bool apparmor_am_unconfined(void)
 {
        char *p = apparmor_process_label_get(getpid());
-       int ret = 0;
+       bool ret = false;
        if (!p || strcmp(p, "unconfined") == 0)
-               ret = 1;
+               ret = true;
+       free(p);
+       return ret;
+}
+
+/* aa stacking is not yet supported */
+static bool aa_stacking_supported(void) {
+       return false;
+}
+
+/* are we in a confined container? */
+static bool in_aa_confined_container(void) {
+       char *p = apparmor_process_label_get(getpid());
+       bool ret = false;
+       if (p && strcmp(p, "/usr/bin/lxc-start") != 0)
+               ret = true;
        free(p);
        return ret;
 }
@@ -142,6 +161,19 @@ static int apparmor_process_label_set(const char *label, int use_default,
                return 0;
        }
 
+       /*
+        * If we are already confined and no profile was requested,
+        * then default to unchanged
+        */
+       if (in_aa_confined_container() && !aa_stacking_supported()) {
+               if (label) {
+                       ERROR("already apparmor confined, but new label requested.");
+                       return -1;
+               }
+               INFO("Already apparmor-confined");
+               return 0;
+       }
+
        if (!label) {
                if (use_default)
                        label = AA_DEF_PROFILE;