From: Dwight Engen Date: Fri, 18 Oct 2013 18:31:53 +0000 (-0400) Subject: use proper config item depending on which lsm is enabled X-Git-Tag: lxc-1.0.0.alpha2~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e0b6898ab49c1c01fc6e9b0fd4db37b2557dbed6;p=thirdparty%2Flxc.git use proper config item depending on which lsm is enabled On a system with AppArmor enabled, if lxc.se_context is configured but lxc.aa_profile is not (because the user just wants to use the default AppArmor profile) lxc was passing the lxc.se_context to be set as the new AppArmor profile. Determine which configuration item to use based on which lsm is enabled. Signed-off-by: Dwight Engen Signed-off-by: Serge Hallyn --- diff --git a/src/lxc/start.c b/src/lxc/start.c index 2bf417eaa..e46f3a0ac 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -488,6 +488,7 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf) static int do_start(void *data) { struct lxc_handler *handler = data; + const char *lsm_label = NULL; if (sigprocmask(SIG_SETMASK, &handler->oldmask, NULL)) { SYSERROR("failed to set sigprocmask"); @@ -557,9 +558,11 @@ static int do_start(void *data) return -1; /* Set the label to change to when we exec(2) the container's init */ - if (lsm_process_label_set(handler->conf->lsm_aa_profile ? - handler->conf->lsm_aa_profile : - handler->conf->lsm_se_context, 1, 1) < 0) + if (!strcmp(lsm_name(), "AppArmor")) + lsm_label = handler->conf->lsm_aa_profile; + else if (!strcmp(lsm_name(), "SELinux")) + lsm_label = handler->conf->lsm_se_context; + if (lsm_process_label_set(lsm_label, 1, 1) < 0) goto out_warn_father; lsm_proc_unmount(handler->conf);