From 4a0a5e89e1b77056ee1564861e502bd7dba59656 Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis@nvidia.com>
Date: Mon, 19 Mar 2018 11:38:06 -0700
Subject: [PATCH] hooks: fix nvidia hook when running under the lxc-start
 AppArmor profile

For a reason that I don't understand, the profile transition needs to
be done on the current process. Changing the attributes for a
subsequent execve(2) (with /proc/self/attr/exec) will cause the kernel
to set AT_SECURE in the auxiliary vector and thus secure_getenv(3)
inside libnvidia-container will return NULL.

Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>
---
 hooks/nvidia | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hooks/nvidia b/hooks/nvidia
index fbe05626c..185b0ed4a 100755
--- a/hooks/nvidia
+++ b/hooks/nvidia
@@ -235,5 +235,10 @@ if [ "${CLI_DISABLE_REQUIRE}" = "false" ]; then
     done
 fi
 
+if [ -d "/sys/kernel/security/apparmor" ]; then
+    # Try to transition to the unconfined AppArmor profile.
+    echo "changeprofile unconfined" > /proc/self/attr/current || true
+fi
+
 set -x
 exec nvidia-container-cli ${global_args[@]} configure ${configure_args[@]} "${LXC_ROOTFS_MOUNT}"
-- 
2.47.2