add support for apparmor in lxc-enter-namespace

diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
index 47f27b18e3d03042b896af848e92d47234cc3d19..d404328bcd358fd814e622614d0fca5ee5da2f61 100644 (file)
--- a/examples/apparmor/libvirt-lxc
+++ b/examples/apparmor/libvirt-lxc
@@ -2,6 +2,13 @@
 
   #include <abstractions/base>
 
+  # Needed for lxc-enter-namespace
+  capability sys_admin,
+  capability sys_chroot,
+
+  # Added for lxc-enter-namespace --cmd /bin/bash
+  /bin/bash PUx,
+
   /usr/sbin/cron PUx,
   /usr/lib/systemd/systemd PUx,
 

diff --git a/src/libvirt-lxc.c b/src/libvirt-lxc.c
index 074809a9dcd97ff4941ad11210029bd362d6bfbc..abfb93f511fd299be35bcb7fea82ceafaf1ccadf 100644 (file)
--- a/src/libvirt-lxc.c
+++ b/src/libvirt-lxc.c
@@ -33,6 +33,9 @@
 #ifdef WITH_SELINUX
 # include <selinux/selinux.h>
 #endif
+#ifdef WITH_APPARMOR
+# include <sys/apparmor.h>
+#endif
 
 #define VIR_FROM_THIS VIR_FROM_NONE
 
@@ -239,6 +242,18 @@ virDomainLxcEnterSecurityLabel(virSecurityModelPtr model,
         virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
                        _("Support for SELinux is not enabled"));
         goto error;
+#endif
+    } else if (STREQ(model->model, "apparmor")) {
+#ifdef WITH_APPARMOR
+        if (aa_change_profile(label->label) < 0) {
+            virReportSystemError(errno, _("error changing profile to %s"),
+                                 label->label);
+            goto error;
+        }
+#else
+        virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
+                       _("Support for AppArmor is not enabled"));
+        goto error;
 #endif
     } else {
         virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,