From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Thu, 24 Oct 2013 01:54:13 +0000 (-0500)
Subject: apparmor: cache the are-we-enabled decision
X-Git-Tag: lxc-1.0.0.alpha3~66
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e6966e57264e993ee7856993cc5ee9ff31969a6;p=thirdparty%2Flxc.git

apparmor: cache the are-we-enabled decision

Since we check /sys/kernel/security/ files when deciding whether
apparmor is enabled, and that might not be mounted in the container,
we cannot re-make the decision at apparmor_process_label_set() time.
Luckily we don't have to - just cache the decision made at
lsm_apparmor_drv_init().

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index cf8020d1f..aaf80568d 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -32,6 +32,9 @@
 
 lxc_log_define(lxc_apparmor, lxc);
 
+/* set by lsm_apparmor_drv_init if true */
+static int aa_enabled = 0;
+
 #define AA_DEF_PROFILE "lxc-container-default"
 #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
 #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
@@ -139,7 +142,7 @@ static int apparmor_am_unconfined(void)
 static int apparmor_process_label_set(const char *label, int use_default,
 				      int on_exec)
 {
-	if (!apparmor_enabled())
+	if (!aa_enabled)
 		return 0;
 
 	if (!label) {
@@ -181,5 +184,6 @@ struct lsm_drv *lsm_apparmor_drv_init(void)
 {
 	if (!apparmor_enabled())
 		return NULL;
+	aa_enabled = 1;
 	return &apparmor_drv;
 }