From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Date: Tue, 13 May 2025 12:59:35 +0000 (+0200)
Subject: Revert "re-add onexec for apparmor, move label assumption until after container has... 
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F4554%2Fhead;p=thirdparty%2Flxc.git

Revert "re-add onexec for apparmor, move label assumption until after container has been setup for attach"

This reverts commit 50dee37cfe3201ed51f477356f81941c960a5511.

Fixes: #4553
Bisected-by: Simon Deziel <simon.deziel@canonical.com>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index b8e7147ec..8f2f7a37c 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1261,6 +1261,19 @@ __noreturn static void do_attach(struct attach_payload *ap)
 		if (!lxc_switch_uid_gid(ctx->setup_ns_uid, ctx->setup_ns_gid))
 			goto on_error;
 
+	if (attach_lsm(options) && ctx->lsm_label) {
+		bool on_exec;
+
+		/* Change into our new LSM profile. */
+		on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false;
+		ret = ctx->lsm_ops->process_label_set_at(ctx->lsm_ops, fd_lsm, ctx->lsm_label, on_exec);
+		close_prot_errno_disarm(fd_lsm);
+		if (ret < 0)
+			goto on_error;
+
+		TRACE("Set %s LSM label to \"%s\"", ctx->lsm_ops->name, ctx->lsm_label);
+	}
+
 	if (conf->no_new_privs || (options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) {
 		ret = prctl(PR_SET_NO_NEW_PRIVS, prctl_arg(1), prctl_arg(0),
 			    prctl_arg(0), prctl_arg(0));
@@ -1354,19 +1367,6 @@ __noreturn static void do_attach(struct attach_payload *ap)
 	if (!lxc_switch_uid_gid(ctx->target_ns_uid, ctx->target_ns_gid))
 		goto on_error;
 
-	if (attach_lsm(options) && ctx->lsm_label) {
-		bool on_exec;
-
-		/* Change into our new LSM profile. */
-		on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false;
-		ret = ctx->lsm_ops->process_label_set_at(ctx->lsm_ops, fd_lsm, ctx->lsm_label, on_exec);
-		close_prot_errno_disarm(fd_lsm);
-		if (ret < 0)
-			goto on_error;
-
-		TRACE("Set %s LSM label to \"%s\"", ctx->lsm_ops->name, ctx->lsm_label);
-	}
-
 	put_attach_payload(ap);
 
 	/* We're done, so we can now do whatever the user intended us to do. */
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index fb67d29ca..d6516ae9f 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -5,7 +5,6 @@
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <sys/apparmor.h>
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -1213,17 +1212,15 @@ static int apparmor_process_label_set(struct lsm_ops *ops, const char *inlabel,
 	if (strequal(label, "unconfined") && apparmor_am_unconfined(ops))
 		return log_info(0, "AppArmor profile unchanged");
 
-	if (on_exec) {
-		ret = aa_change_onexec(label);
-	} else {
-		ret = aa_change_profile(label);
-	}
-	
- 	if (ret < 0)
-		return log_error_errno(-1, errno, "Failed to set AppArmor%s context to \"%s\"",
-				       on_exec ? " exec" : "", label);
-	
-	return log_info(0, "Changed AppArmor%s profile to \"%s\"", on_exec ? " exec" : "", label);
+	label_fd = apparmor_process_label_fd_get(ops, lxc_raw_gettid(), on_exec);
+	if (label_fd < 0)
+		return log_error_errno(-EINVAL, EINVAL, "Failed to change AppArmor profile to %s", label);
+
+	ret = apparmor_process_label_set_at(ops, label_fd, label, on_exec);
+	if (ret < 0)
+		return log_error_errno(-EINVAL, EINVAL, "Failed to change AppArmor profile to %s", label);
+
+	return log_info(0, "Changed AppArmor profile to %s", label);
 }
 
 static struct lsm_ops apparmor_ops = {