use proper config item depending on which lsm is enabled

On a system with AppArmor enabled, if lxc.se_context is configured but
lxc.aa_profile is not (because the user just wants to use the default
AppArmor profile) lxc was passing the lxc.se_context to be set as the
new AppArmor profile. Determine which configuration item to use based
on which lsm is enabled.

Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 2bf417eaa0ea1c629a73d9652823626c3ba2aaa0..e46f3a0ac5c7246cd51c6e1bd63e8c17e5d6fb6c 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -488,6 +488,7 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf)
 static int do_start(void *data)
 {
        struct lxc_handler *handler = data;
+       const char *lsm_label = NULL;
 
        if (sigprocmask(SIG_SETMASK, &handler->oldmask, NULL)) {
                SYSERROR("failed to set sigprocmask");
@@ -557,9 +558,11 @@ static int do_start(void *data)
                return -1;
 
        /* Set the label to change to when we exec(2) the container's init */
-       if (lsm_process_label_set(handler->conf->lsm_aa_profile ?
-                                 handler->conf->lsm_aa_profile :
-                                 handler->conf->lsm_se_context, 1, 1) < 0)
+       if (!strcmp(lsm_name(), "AppArmor"))
+               lsm_label = handler->conf->lsm_aa_profile;
+       else if (!strcmp(lsm_name(), "SELinux"))
+               lsm_label = handler->conf->lsm_se_context;
+       if (lsm_process_label_set(lsm_label, 1, 1) < 0)
                goto out_warn_father;
        lsm_proc_unmount(handler->conf);