From: Cédric Bosdonnat <cbosdonnat@suse.com>
Date: Mon, 3 Mar 2014 10:26:45 +0000 (+0100)
Subject: add support for apparmor in lxc-enter-namespace
X-Git-Tag: v1.2.3-rc1~353
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef7dc7d42921bb98a4d5f6f6dd9dd5558c081870;p=thirdparty%2Flibvirt.git

add support for apparmor in lxc-enter-namespace
---

diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
index 47f27b18e3..d404328bcd 100644
--- a/examples/apparmor/libvirt-lxc
+++ b/examples/apparmor/libvirt-lxc
@@ -2,6 +2,13 @@
 
   #include <abstractions/base>
 
+  # Needed for lxc-enter-namespace
+  capability sys_admin,
+  capability sys_chroot,
+
+  # Added for lxc-enter-namespace --cmd /bin/bash
+  /bin/bash PUx,
+
   /usr/sbin/cron PUx,
   /usr/lib/systemd/systemd PUx,
 
diff --git a/src/libvirt-lxc.c b/src/libvirt-lxc.c
index 074809a9dc..abfb93f511 100644
--- a/src/libvirt-lxc.c
+++ b/src/libvirt-lxc.c
@@ -33,6 +33,9 @@
 #ifdef WITH_SELINUX
 # include <selinux/selinux.h>
 #endif
+#ifdef WITH_APPARMOR
+# include <sys/apparmor.h>
+#endif
 
 #define VIR_FROM_THIS VIR_FROM_NONE
 
@@ -239,6 +242,18 @@ virDomainLxcEnterSecurityLabel(virSecurityModelPtr model,
         virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
                        _("Support for SELinux is not enabled"));
         goto error;
+#endif
+    } else if (STREQ(model->model, "apparmor")) {
+#ifdef WITH_APPARMOR
+        if (aa_change_profile(label->label) < 0) {
+            virReportSystemError(errno, _("error changing profile to %s"),
+                                 label->label);
+            goto error;
+        }
+#else
+        virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
+                       _("Support for AppArmor is not enabled"));
+        goto error;
 #endif
     } else {
         virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,