From: Martin Pitt <martin.pitt@ubuntu.com>
Date: Fri, 1 Aug 2014 05:00:34 +0000 (+0200)
Subject: systemd: Load AppArmor profiles if necessary/supported
X-Git-Tag: lxc-1.1.0.alpha2~107
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b24e2ff84c03a1e049449127958df8dc16a74fd;p=thirdparty%2Flxc.git

systemd: Load AppArmor profiles if necessary/supported

On Ubuntu we need to set up the AppArmor profiles also under systemd.
Add a new helper "lxc-apparmor-load" and integrate it into lxc.service.

Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am
index ed1e4ef74..5959cd85a 100644
--- a/config/init/systemd/Makefile.am
+++ b/config/init/systemd/Makefile.am
@@ -1,5 +1,6 @@
 EXTRA_DIST = \
 	lxc-devsetup \
+	lxc-apparmor-load \
 	lxc.service.in \
 	lxc-net.service.in \
 	$(NULL)
@@ -15,7 +16,7 @@ lxc-autostart-helper: ../sysvinit/lxc.in $(top_builddir)/config.status
 	    mv $@-t $@
 BUILT_SOURCES = lxc-autostart-helper lxc.service lxc-net.service
 
-install-systemd: lxc.service lxc-net.service lxc-devsetup lxc-autostart-helper
+install-systemd: lxc.service lxc-net.service lxc-devsetup lxc-apparmor-load lxc-autostart-helper
 	$(MKDIR_P) $(DESTDIR)$(SYSTEMD_UNIT_DIR)
 	$(INSTALL_DATA) lxc.service lxc-net.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/
 
@@ -24,7 +25,7 @@ uninstall-systemd:
 	rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-net.service
 	rmdir $(DESTDIR)$(SYSTEMD_UNIT_DIR) || :
 
-pkglibexec_SCRIPTS = lxc-devsetup lxc-autostart-helper
+pkglibexec_SCRIPTS = lxc-devsetup lxc-apparmor-load lxc-autostart-helper
 
 install-data-local: install-systemd
 uninstall-local: uninstall-systemd
diff --git a/config/init/systemd/lxc-apparmor-load b/config/init/systemd/lxc-apparmor-load
new file mode 100755
index 000000000..4ac9496cd
--- /dev/null
+++ b/config/init/systemd/lxc-apparmor-load
@@ -0,0 +1,14 @@
+#!/bin/sh
+# lxc-apparmor-load: Load AppArmor profiles, if supported by the system
+
+set -eu
+
+# don't load profiles if mount mediation is not supported
+SYSF=/sys/kernel/security/apparmor/features/mount/mask
+if [ -f $SYSF ]; then
+	if [ -x /lib/init/apparmor-profile-load ]; then
+		/lib/init/apparmor-profile-load usr.bin.lxc-start
+		/lib/init/apparmor-profile-load lxc-containers
+	fi
+fi
+
diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in
index c7f2813a7..f64610f7c 100644
--- a/config/init/systemd/lxc.service.in
+++ b/config/init/systemd/lxc.service.in
@@ -7,6 +7,7 @@ Wants=lxc-net.service
 Type=oneshot
 RemainAfterExit=yes
 ExecStartPre=@LIBEXECDIR@/lxc/lxc-devsetup
+ExecStartPre=@LIBEXECDIR@/lxc/lxc-apparmor-load
 ExecStart=@LIBEXECDIR@/lxc/lxc-autostart-helper start
 ExecStop=@LIBEXECDIR@/lxc/lxc-autostart-helper stop
 # Environment=BOOTUP=serial