From 85108024bda372e0bbdae9dc1858948987947ef7 Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Sat, 20 Sep 2014 04:54:32 +0000 Subject: [PATCH] apparmor: make sure sysfs and securityfs are mounted when checking for mount feature Otherwise the check will return false if securityfs was not mounted by the container's configuration. In the past we let that quietly proceed, but unconfined. Now that we restrict such container starts, this caused lxc-test-apparmor to fail. Signed-off-by: Serge Hallyn Acked-by: Dwight Engen --- src/lxc/lsm/apparmor.c | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c index 8de011505..907fdd3ae 100644 --- a/src/lxc/lsm/apparmor.c +++ b/src/lxc/lsm/apparmor.c @@ -26,6 +26,7 @@ #include #include #include +#include #include "log.h" #include "lsm/lsm.h" @@ -40,14 +41,39 @@ static int aa_enabled = 0; #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask" #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled" -static int mount_feature_enabled(void) +static bool mount_feature_enabled(void) { struct stat statbuf; + struct statfs sf; int ret; + bool mountedsys = false, mountedk = false, bret = true; + + ret = statfs("/sys", &sf); + if (ret < 0 || sf.f_type != 0x62656572) { + if (mount("sysfs", "/sys", "sysfs", 0, NULL) < 0) { + SYSERROR("Error mounting sysfs"); + return false; + } + mountedsys = true; + } + if (stat("/sys/kernel/security/apparmor", &statbuf) < 0) { + if (mount("securityfs", "/sys/kernel/security", "securityfs", 0, NULL) < 0) { + SYSERROR("Error mounting securityfs"); + if (mountedsys) + umount2("/sys", MNT_DETACH); + return false; + } + mountedk = true; + } ret = stat(AA_MOUNT_RESTR, &statbuf); if (ret != 0) - return 0; - return 1; + bret = false; + + if (mountedk) + umount2("/sys/kernel/security", MNT_DETACH); + if (mountedsys) + umount2("/sys", MNT_DETACH); + return bret; } /* aa_getcon is not working right now. Use our hand-rolled version below */ -- 2.47.2