From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Mon, 8 Feb 2016 07:06:10 +0000 (-0800)
Subject: apparmor: don't fail if current aa label is given
X-Git-Tag: lxc-2.0.0.rc1~7^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F808%2Fhead;p=thirdparty%2Flxc.git

apparmor: don't fail if current aa label is given

Ideally a container configuration will specify 'unchanged' if
it wants the container to use the current (parent) profile.  But
lxd passes its current label.  Support that too.

Note that if/when stackable profiles exist, this behavior may
or may not be what we want.  But the code to deal with aa
stacking will need some changes anyway so this is ok.

With this patch, I can create nested containers inside a
lxd xenial container both using

lxc launch x2

and unprivileged

lxc-start -n x2

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 9d8122405..6352e2c25 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -146,16 +146,15 @@ static bool aa_stacking_supported(void) {
 	return false;
 }
 
-/* are we in a confined container? */
-static bool in_aa_confined_container(void) {
-	char *p = apparmor_process_label_get(getpid());
-	bool ret = false;
-	if (p && strcmp(p, "/usr/bin/lxc-start") != 0 && strcmp(p, "unconfined") != 0) {
-		INFO("Already apparmor-confined under %s", p);
-		ret = true;
-	}
-	free(p);
-	return ret;
+static bool aa_needs_transition(char *curlabel)
+{
+	if (!curlabel)
+		return false;
+	if (strcmp(curlabel, "unconfined") == 0)
+		return false;
+	if (strcmp(curlabel, "/usr/bin/lxc-start") == 0)
+		return false;
+	return true;
 }
 
 /*
@@ -174,6 +173,7 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 				      int use_default, int on_exec)
 {
 	const char *label = inlabel ? inlabel : conf->lsm_aa_profile;
+	char *curlabel;
 
 	if (!aa_enabled)
 		return 0;
@@ -184,17 +184,22 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 		return 0;
 	}
 
-	/*
-	 * If we are already confined and no profile was requested,
-	 * then default to unchanged
-	 */
-	if (in_aa_confined_container() && !aa_stacking_supported()) {
-		if (label) {
-			ERROR("already apparmor confined, but new label requested.");
-			return -1;
+	curlabel = apparmor_process_label_get(getpid());
+
+	if (!aa_stacking_supported() && aa_needs_transition(curlabel)) {
+		// we're already confined, and stacking isn't supported
+
+		if (!label || strcmp(curlabel, label) == 0) {
+			// no change requested
+			free(curlabel);
+			return 0;
 		}
-		return 0;
+
+		ERROR("already apparmor confined, but new label requested.");
+		free(curlabel);
+		return -1;
 	}
+	free(curlabel);
 
 	if (!label) {
 		if (use_default)