From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 22 Jan 2018 11:02:44 +0000 (+0100)
Subject: apparmor: do not call aa_change_profile()
X-Git-Tag: lxc-2.0.10~373
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=79e6609720b6bea07dfe52371188394745a2e7ca;p=thirdparty%2Flxc.git

apparmor: do not call aa_change_profile()

We can simply write the label ourselves. There's no magic happening.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 6106ddd08..773c9c717 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -25,11 +25,10 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
-#include <sys/apparmor.h>
 #include <sys/vfs.h>
 
 #include "log.h"
-#include "lsm/lsm.h"
+#include "lsm.h"
 #include "conf.h"
 #include "utils.h"
 
@@ -174,6 +173,8 @@ static bool aa_needs_transition(char *curlabel)
 static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf,
 				      bool use_default, bool on_exec)
 {
+	int label_fd, ret;
+	pid_t tid;
 	const char *label = inlabel ? inlabel : conf->lsm_aa_profile;
 	char *curlabel;
 
@@ -230,12 +231,21 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 		return 0;
 	}
 
-	if (aa_change_profile(label) < 0) {
-		SYSERROR("failed to change apparmor profile to %s", label);
+	tid = lxc_raw_gettid();
+	label_fd = lsm_process_label_fd_get(tid, on_exec);
+	if (label_fd < 0) {
+		SYSERROR("Failed to change apparmor profile to %s", label);
 		return -1;
 	}
 
-	INFO("changed apparmor profile to %s", label);
+	ret = lsm_process_label_set_at(label_fd, label, on_exec);
+	close(label_fd);
+	if (ret < 0) {
+		SYSERROR("Failed to change apparmor profile to %s", label);
+		return -1;
+	}
+
+	INFO("Changed apparmor profile to %s", label);
 	return 0;
 }
 
diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index e6d5872fc..5eeb5b8fe 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -530,4 +530,13 @@ static inline uint64_t lxc_getpagesize(void)
  */
 extern uint64_t lxc_find_next_power2(uint64_t n);
 
+static inline pid_t lxc_raw_gettid(void)
+{
+#ifdef SYS_gettid
+	return syscall(SYS_gettid);
+#else
+	return lxc_raw_getpid();
+#endif
+}
+
 #endif /* __LXC_UTILS_H */