From: Tycho Andersen <tycho.andersen@canonical.com>
Date: Fri, 11 Dec 2015 23:21:53 +0000 (-0700)
Subject: c/r: use --lsm-profile if provided
X-Git-Tag: lxc-2.0.0.beta1~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=13389b2963692a51162c703d8a64a79542b18949;p=thirdparty%2Flxc.git

c/r: use --lsm-profile if provided

Since we can rename a container on a migrate, let's tell CRIU to use the
LSM profile name the user has specified. This change is motivated by LXD,
which sets an LSM profile name based on the container name, so if a user
changes the name of a container during migration, the old profile name
(that criu has saved) won't exist on the new host.

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 74c47723b..0a0392f6d 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -89,8 +89,10 @@ void exec_criu(struct criu_opts *opts)
 			static_args++;
 	} else if (strcmp(opts->action, "restore") == 0) {
 		/* --root $(lxc_mount_point) --restore-detached
-		 * --restore-sibling --pidfile $foo --cgroup-root $foo */
-		static_args += 8;
+		 * --restore-sibling --pidfile $foo --cgroup-root $foo
+		 * --lsm-profile apparmor:whatever
+		 */
+		static_args += 10;
 	} else {
 		return;
 	}
@@ -184,6 +186,7 @@ void exec_criu(struct criu_opts *opts)
 	} else if (strcmp(opts->action, "restore") == 0) {
 		void *m;
 		int additional;
+		struct lxc_conf *lxc_conf = opts->c->lxc_conf;
 
 		DECLARE_ARG("--root");
 		DECLARE_ARG(opts->c->lxc_conf->rootfs.mount);
@@ -194,6 +197,20 @@ void exec_criu(struct criu_opts *opts)
 		DECLARE_ARG("--cgroup-root");
 		DECLARE_ARG(opts->cgroup_path);
 
+		if (lxc_conf->lsm_aa_profile || lxc_conf->lsm_se_context) {
+
+			if (lxc_conf->lsm_aa_profile)
+				ret = snprintf(buf, sizeof(buf), "apparmor:%s", lxc_conf->lsm_aa_profile);
+			else
+				ret = snprintf(buf, sizeof(buf), "selinux:%s", lxc_conf->lsm_se_context);
+
+			if (ret < 0 || ret >= sizeof(buf))
+				goto err;
+
+			DECLARE_ARG("--lsm-profile");
+			DECLARE_ARG(buf);
+		}
+
 		additional = lxc_list_len(&opts->c->lxc_conf->network) * 2;
 
 		m = realloc(argv, (argc + additional + 1) * sizeof(*argv));