On 03/06/2013 02:41 PM, Serge Hallyn wrote: > If we're not attaching to the mount ns , then don't enter the > container's apparmor policy. Since we're running binaries from the host > and not the container, that actually seems the sane thing to do (besides > also the lazier thing). > > If we dont' do this patch, then we will need to move the apparmor attach > past the procfs remount, will need to also mount securityfs if available, > and for the !remount_proc_sys case we'll want to mount those just long > enough to do the apparmor transition. > > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
Acked-by: Stéphane Graber <stgra...@ubuntu.com>
> ---
> src/lxc/lxc_attach.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
> index 1f60266..60d9eac 100644
> --- a/src/lxc/lxc_attach.c
> +++ b/src/lxc/lxc_attach.c
> @@ -375,9 +375,11 @@ int main(int argc, char *argv[])
> lxc_sync_fini_parent(handler);
> close(cgroup_ipc_sockets[1]);
>
> - if (attach_apparmor(init_ctx->aa_profile) < 0) {
> - ERROR("failed switching apparmor profiles");
> - return -1;
> + if ((namespace_flags & CLONE_NEWNS)) {
> + if (attach_apparmor(init_ctx->aa_profile) < 0) {
> + ERROR("failed switching apparmor profiles");
> + return -1;
> + }
> }
>
> /* A description of the purpose of this functionality is
>
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
