From: Felix Abecassis Date: Fri, 23 Mar 2018 17:47:35 +0000 (-0700) Subject: hooks: fix dhclient hook when an AppArmor profile is active X-Git-Tag: lxc-3.0.0.beta4~3^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2232%2Fhead;p=thirdparty%2Flxc.git hooks: fix dhclient hook when an AppArmor profile is active Signed-off-by: Felix Abecassis --- diff --git a/hooks/dhclient.in b/hooks/dhclient.in index d92107c5f..df5640e9d 100755 --- a/hooks/dhclient.in +++ b/hooks/dhclient.in @@ -26,6 +26,15 @@ usage() { echo "Usage: ${0##*/} lxc {start-host|stop}" } +# Wrap the dhclient command with "aa-exec -p unconfined" if AppArmor is enabled. +dhclient() { + bin="/sbin/dhclient" + if [ -d "/sys/kernel/security/apparmor" ] && which aa-exec >/dev/null; then + bin="aa-exec -p unconfined ${bin}" + fi + echo $bin +} + dhclient_start() { ns_args=("--uts" "--net") if [ -z "$(readlink /proc/${LXC_PID}/ns/user /proc/self/ns/user | uniq -d)" ]; then @@ -39,7 +48,7 @@ dhclient_start() { else echo "INFO: Starting DHCP client and acquiring a lease..." >> "${debugfile}" nsenter ${ns_args[@]} --target "${LXC_PID}" -- \ - /sbin/dhclient -1 ${conffile_arg} -pf "${pidfile}" -lf "${leasefile}" -e "ROOTFS=${rootfs_path}" -sf "${LXC_DHCP_SCRIPT}" -v >> "${debugfile}" 2>&1 + $(dhclient) -1 ${conffile_arg} -pf "${pidfile}" -lf "${leasefile}" -e "ROOTFS=${rootfs_path}" -sf "${LXC_DHCP_SCRIPT}" -v >> "${debugfile}" 2>&1 fi } @@ -63,7 +72,7 @@ dhclient_stop() { if [ -e "${pidfile}" ]; then echo "INFO: Stopping DHCP client and releasing leases..." >> "${debugfile}" nsenter ${ns_args[@]} -- \ - /sbin/dhclient -r ${conffile_arg} -pf "${pidfile}" -lf "${leasefile}" -e "ROOTFS=${rootfs_path}" -sf "${LXC_DHCP_SCRIPT}" -v >> "${debugfile}" 2>&1 + $(dhclient) -r ${conffile_arg} -pf "${pidfile}" -lf "${leasefile}" -e "ROOTFS=${rootfs_path}" -sf "${LXC_DHCP_SCRIPT}" -v >> "${debugfile}" 2>&1 else echo "WARN: DHCP client is not running, skipping stop hook." >> "${debugfile}" fi