From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Mon, 4 Jan 2016 21:20:06 +0000 (+0000)
Subject: Don't try to change aa label if we are already apparmor-confined
X-Git-Tag: lxc-2.0.0.beta2~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9bfdc0adc8a78fd2c15072b8a780a0b76588f169;p=thirdparty%2Flxc.git

Don't try to change aa label if we are already apparmor-confined

Closes #1459

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index d78bd7a02..43a093e3d 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -127,12 +127,31 @@ again:
 	return buf;
 }
 
-static int apparmor_am_unconfined(void)
+/*
+ * Probably makes sense to reorganize these to only read
+ * the label once
+ */
+static bool apparmor_am_unconfined(void)
 {
 	char *p = apparmor_process_label_get(getpid());
-	int ret = 0;
+	bool ret = false;
 	if (!p || strcmp(p, "unconfined") == 0)
-		ret = 1;
+		ret = true;
+	free(p);
+	return ret;
+}
+
+/* aa stacking is not yet supported */
+static bool aa_stacking_supported(void) {
+	return false;
+}
+
+/* are we in a confined container? */
+static bool in_aa_confined_container(void) {
+	char *p = apparmor_process_label_get(getpid());
+	bool ret = false;
+	if (p && strcmp(p, "/usr/bin/lxc-start") != 0)
+		ret = true;
 	free(p);
 	return ret;
 }
@@ -163,6 +182,19 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 		return 0;
 	}
 
+	/*
+	 * If we are already confined and no profile was requested,
+	 * then default to unchanged
+	 */
+	if (in_aa_confined_container() && !aa_stacking_supported()) {
+		if (label) {
+			ERROR("already apparmor confined, but new label requested.");
+			return -1;
+		}
+		INFO("Already apparmor-confined");
+		return 0;
+	}
+
 	if (!label) {
 		if (use_default)
 			label = AA_DEF_PROFILE;