From 13389b2963692a51162c703d8a64a79542b18949 Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Fri, 11 Dec 2015 16:21:53 -0700 Subject: [PATCH] c/r: use --lsm-profile if provided MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Since we can rename a container on a migrate, let's tell CRIU to use the LSM profile name the user has specified. This change is motivated by LXD, which sets an LSM profile name based on the container name, so if a user changes the name of a container during migration, the old profile name (that criu has saved) won't exist on the new host. Signed-off-by: Tycho Andersen Acked-by: Stéphane Graber --- src/lxc/criu.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/src/lxc/criu.c b/src/lxc/criu.c index 74c47723b..0a0392f6d 100644 --- a/src/lxc/criu.c +++ b/src/lxc/criu.c @@ -89,8 +89,10 @@ void exec_criu(struct criu_opts *opts) static_args++; } else if (strcmp(opts->action, "restore") == 0) { /* --root $(lxc_mount_point) --restore-detached - * --restore-sibling --pidfile $foo --cgroup-root $foo */ - static_args += 8; + * --restore-sibling --pidfile $foo --cgroup-root $foo + * --lsm-profile apparmor:whatever + */ + static_args += 10; } else { return; } @@ -184,6 +186,7 @@ void exec_criu(struct criu_opts *opts) } else if (strcmp(opts->action, "restore") == 0) { void *m; int additional; + struct lxc_conf *lxc_conf = opts->c->lxc_conf; DECLARE_ARG("--root"); DECLARE_ARG(opts->c->lxc_conf->rootfs.mount); @@ -194,6 +197,20 @@ void exec_criu(struct criu_opts *opts) DECLARE_ARG("--cgroup-root"); DECLARE_ARG(opts->cgroup_path); + if (lxc_conf->lsm_aa_profile || lxc_conf->lsm_se_context) { + + if (lxc_conf->lsm_aa_profile) + ret = snprintf(buf, sizeof(buf), "apparmor:%s", lxc_conf->lsm_aa_profile); + else + ret = snprintf(buf, sizeof(buf), "selinux:%s", lxc_conf->lsm_se_context); + + if (ret < 0 || ret >= sizeof(buf)) + goto err; + + DECLARE_ARG("--lsm-profile"); + DECLARE_ARG(buf); + } + additional = lxc_list_len(&opts->c->lxc_conf->network) * 2; m = realloc(argv, (argc + additional + 1) * sizeof(*argv)); -- 2.47.2