From: Felix Abecassis <fabecassis@nvidia.com>
Date: Mon, 19 Mar 2018 18:38:06 +0000 (-0700)
Subject: hooks: fix nvidia hook when running under the lxc-start AppArmor profile
X-Git-Tag: lxc-3.0.0.beta3~5^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a0a5e89e1b77056ee1564861e502bd7dba59656;p=thirdparty%2Flxc.git

hooks: fix nvidia hook when running under the lxc-start AppArmor profile

For a reason that I don't understand, the profile transition needs to
be done on the current process. Changing the attributes for a
subsequent execve(2) (with /proc/self/attr/exec) will cause the kernel
to set AT_SECURE in the auxiliary vector and thus secure_getenv(3)
inside libnvidia-container will return NULL.

Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>
---

diff --git a/hooks/nvidia b/hooks/nvidia
index fbe05626c..185b0ed4a 100755
--- a/hooks/nvidia
+++ b/hooks/nvidia
@@ -235,5 +235,10 @@ if [ "${CLI_DISABLE_REQUIRE}" = "false" ]; then
     done
 fi
 
+if [ -d "/sys/kernel/security/apparmor" ]; then
+    # Try to transition to the unconfined AppArmor profile.
+    echo "changeprofile unconfined" > /proc/self/attr/current || true
+fi
+
 set -x
 exec nvidia-container-cli ${global_args[@]} configure ${configure_args[@]} "${LXC_ROOTFS_MOUNT}"