From b2fe91c7d4e9dd26903dca9801a32a03a65bd2a4 Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Fri, 21 Feb 2014 13:53:46 -0600 Subject: [PATCH] apparmor: don't do on-exec profile changes MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit always change profile immediately. Otherwise there are weird corner cases where the profile change may not happen. Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber --- src/lxc/lsm/apparmor.c | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c index 280c1eafe..f4c8d2676 100644 --- a/src/lxc/lsm/apparmor.c +++ b/src/lxc/lsm/apparmor.c @@ -125,7 +125,7 @@ static int apparmor_am_unconfined(void) * * @label : the profile to set * @default : use the default profile if label is NULL - * @on_exec : the new profile will take effect on exec(2) not immediately + * @on_exec : this is ignored. Apparmor profile will be changed immediately * * Returns 0 on success, < 0 on failure * @@ -149,19 +149,12 @@ static int apparmor_process_label_set(const char *label, int use_default, return 0; } - if (on_exec) { - if (aa_change_onexec(label) < 0) { - SYSERROR("failed to change exec apparmor profile to %s", label); - return -1; - } - } else { - if (aa_change_profile(label) < 0) { - SYSERROR("failed to change apparmor profile to %s", label); - return -1; - } + if (aa_change_profile(label) < 0) { + SYSERROR("failed to change apparmor profile to %s", label); + return -1; } - INFO("changed apparmor%s profile to %s", on_exec ? " exec" : "", label); + INFO("changed apparmor profile to %s", label); return 0; } -- 2.47.2