From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Sat, 20 Sep 2014 04:54:32 +0000 (+0000)
Subject: apparmor: make sure sysfs and securityfs are mounted when checking for mount feature
X-Git-Tag: lxc-1.1.0.alpha2~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85108024bda372e0bbdae9dc1858948987947ef7;p=thirdparty%2Flxc.git

apparmor: make sure sysfs and securityfs are mounted when checking for mount feature

Otherwise the check will return false if securityfs was not mounted
by the container's configuration.  In the past we let that quietly
proceed, but unconfined.  Now that we restrict such container
starts, this caused lxc-test-apparmor to fail.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
---

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 8de011505..907fdd3ae 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -26,6 +26,7 @@
 #include <sys/stat.h>
 #include <sys/mount.h>
 #include <sys/apparmor.h>
+#include <sys/vfs.h>
 
 #include "log.h"
 #include "lsm/lsm.h"
@@ -40,14 +41,39 @@ static int aa_enabled = 0;
 #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
 #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
 
-static int mount_feature_enabled(void)
+static bool mount_feature_enabled(void)
 {
 	struct stat statbuf;
+	struct statfs sf;
 	int ret;
+	bool mountedsys = false, mountedk = false, bret = true;
+
+	ret = statfs("/sys", &sf);
+	if (ret < 0 || sf.f_type != 0x62656572) {
+		if (mount("sysfs", "/sys", "sysfs", 0, NULL) < 0) {
+			SYSERROR("Error mounting sysfs");
+			return false;
+		}
+		mountedsys = true;
+	}
+	if (stat("/sys/kernel/security/apparmor", &statbuf) < 0) {
+		if (mount("securityfs", "/sys/kernel/security", "securityfs", 0, NULL) < 0) {
+			SYSERROR("Error mounting securityfs");
+			if (mountedsys)
+				umount2("/sys", MNT_DETACH);
+			return false;
+		}
+		mountedk = true;
+	}
 	ret = stat(AA_MOUNT_RESTR, &statbuf);
 	if (ret != 0)
-		return 0;
-	return 1;
+		bret = false;
+
+	if (mountedk)
+		umount2("/sys/kernel/security", MNT_DETACH);
+	if (mountedsys)
+		umount2("/sys", MNT_DETACH);
+	return bret;
 }
 
 /* aa_getcon is not working right now.  Use our hand-rolled version below */