#include "lxc/utils.h"
#include "lxc/lsm/lsm.h"
+#include <sys/types.h>
#include <string.h>
#include <sys/stat.h>
#include <errno.h>
static const char *lsm_config_key = NULL;
static const char *lsm_label = NULL;
+bool file_exists(const char *f)
+{
+ struct stat statbuf;
+
+ return stat(f, &statbuf) == 0;
+}
+
static void test_lsm_detect(void)
{
if (lsm_enabled()) {
}
else if (!strcmp(lsm_name(), "AppArmor")) {
lsm_config_key = "lxc.aa_profile";
- lsm_label = "lxc-container-default";
+ if (file_exists("/proc/self/ns/cgroup"))
+ lsm_label = "lxc-container-default-cgns";
+ else
+ lsm_label = "lxc-container-default";
}
else {
TSTERR("unknown lsm %s enabled, add test code here", lsm_name());
set -e
+if [ -f /proc/self/ns/cgroup ]; then
+ default_profile="lxc-container-default-cgns (enforce)"
+else
+ default_profile="lxc-container-default (enforce)"
+fi
+
FAIL() {
echo -n "Failed " >&2
echo "$*" >&2
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
profile=`cat /proc/$pid/attr/current`
-if [ "x$profile" != "xlxc-container-default (enforce)" ]; then
+if [ "x$profile" != "x${default_profile}" ]; then
echo "FAIL: confined container was in profile $profile"
exit 1
fi
exit 1
fi
profile=`cat /proc/$pid/attr/current`
-if [ "x$profile" != "xlxc-container-default (enforce)" ]; then
+if [ "x$profile" != "x${default_profile}" ]; then
echo "FAIL: confined container was in profile $profile"
exit 1
fi
# Check apparmor
lxcpid=`lxc-info -n $name -p -H`
aa=`cat /proc/$lxcpid/attr/current`
- if [ "$aa" != "lxc-container-default-with-nesting (enforce)" -a "$aa" != "lxc-container-default (enforce)" ]; then
+ if [ "$aa" != "lxc-container-default-with-nesting (enforce)" -a \
+ "$aa" != "lxc-container-default-cgns (enforce)" -a \
+ "$aa" != "lxc-container-default (enforce)" ]; then
FAIL " to correctly set apparmor profile (profile is \"$aa\")"
fi
lxc-stop -n $name -k
projects / thirdparty / lxc.git / commitdiff
