From: Ian Merin <Ian.Merin@ncipher.com>
Date: Tue, 8 Apr 2025 16:27:26 +0000 (-0400)
Subject: re-add onexec for apparmor, move label assumption until after container has been... 
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=50dee37cfe3201ed51f477356f81941c960a5511;p=thirdparty%2Flxc.git

re-add onexec for apparmor, move label assumption until after container has been setup for attach

Signed-off-by: Ian Merin <Ian.Merin@ncipher.com>
---

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 8f2f7a37c..b8e7147ec 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1261,19 +1261,6 @@ __noreturn static void do_attach(struct attach_payload *ap)
 		if (!lxc_switch_uid_gid(ctx->setup_ns_uid, ctx->setup_ns_gid))
 			goto on_error;
 
-	if (attach_lsm(options) && ctx->lsm_label) {
-		bool on_exec;
-
-		/* Change into our new LSM profile. */
-		on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false;
-		ret = ctx->lsm_ops->process_label_set_at(ctx->lsm_ops, fd_lsm, ctx->lsm_label, on_exec);
-		close_prot_errno_disarm(fd_lsm);
-		if (ret < 0)
-			goto on_error;
-
-		TRACE("Set %s LSM label to \"%s\"", ctx->lsm_ops->name, ctx->lsm_label);
-	}
-
 	if (conf->no_new_privs || (options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) {
 		ret = prctl(PR_SET_NO_NEW_PRIVS, prctl_arg(1), prctl_arg(0),
 			    prctl_arg(0), prctl_arg(0));
@@ -1367,6 +1354,19 @@ __noreturn static void do_attach(struct attach_payload *ap)
 	if (!lxc_switch_uid_gid(ctx->target_ns_uid, ctx->target_ns_gid))
 		goto on_error;
 
+	if (attach_lsm(options) && ctx->lsm_label) {
+		bool on_exec;
+
+		/* Change into our new LSM profile. */
+		on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false;
+		ret = ctx->lsm_ops->process_label_set_at(ctx->lsm_ops, fd_lsm, ctx->lsm_label, on_exec);
+		close_prot_errno_disarm(fd_lsm);
+		if (ret < 0)
+			goto on_error;
+
+		TRACE("Set %s LSM label to \"%s\"", ctx->lsm_ops->name, ctx->lsm_label);
+	}
+
 	put_attach_payload(ap);
 
 	/* We're done, so we can now do whatever the user intended us to do. */
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index d6516ae9f..fb67d29ca 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -5,6 +5,7 @@
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <sys/apparmor.h>
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -1212,15 +1213,17 @@ static int apparmor_process_label_set(struct lsm_ops *ops, const char *inlabel,
 	if (strequal(label, "unconfined") && apparmor_am_unconfined(ops))
 		return log_info(0, "AppArmor profile unchanged");
 
-	label_fd = apparmor_process_label_fd_get(ops, lxc_raw_gettid(), on_exec);
-	if (label_fd < 0)
-		return log_error_errno(-EINVAL, EINVAL, "Failed to change AppArmor profile to %s", label);
-
-	ret = apparmor_process_label_set_at(ops, label_fd, label, on_exec);
-	if (ret < 0)
-		return log_error_errno(-EINVAL, EINVAL, "Failed to change AppArmor profile to %s", label);
-
-	return log_info(0, "Changed AppArmor profile to %s", label);
+	if (on_exec) {
+		ret = aa_change_onexec(label);
+	} else {
+		ret = aa_change_profile(label);
+	}
+	
+ 	if (ret < 0)
+		return log_error_errno(-1, errno, "Failed to set AppArmor%s context to \"%s\"",
+				       on_exec ? " exec" : "", label);
+	
+	return log_info(0, "Changed AppArmor%s profile to \"%s\"", on_exec ? " exec" : "", label);
 }
 
 static struct lsm_ops apparmor_ops = {