Quoting Dwight Engen (dwight.en...@oracle.com): > diff --git a/src/lxc/start.c b/src/lxc/start.c > index 7538403..2bf417e 100644 > --- a/src/lxc/start.c > +++ b/src/lxc/start.c > @@ -556,14 +556,10 @@ static int do_start(void *data) > if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP)) > return -1; > > - /* XXX: hmm apparmor switches right away since it uses > - * aa_change_profile() and not aa_change_onexec(). SELinux on the other > - * hand is going to transition on exec(). Is it bad to run the stuff > - * between here and exec() in the more privileged context? > - */ > + /* Set the label to change to when we exec(2) the container's init */ > if (lsm_process_label_set(handler->conf->lsm_aa_profile ? > handler->conf->lsm_aa_profile : > - handler->conf->lsm_se_context, 1) < 0) > + handler->conf->lsm_se_context, 1, 1) < 0) > goto out_warn_father; > lsm_proc_unmount(handler->conf);
Hi, This isn't urgent, but it is an issue I noticed yesterday (in your original patch, not in this patch). The original behavior for apparmor was that if aa_profile was not specified, then the default would be used. With this here, if someone leaves lxc.aa_profile unset to get the default, has lxc.se_context set, and starts the container on an apparmor system, then the startup will fail bc it will try to set the se_context as the aa_profile. I guess the simplest way to fix this would be to check drv here and pass in the right context based on which drv is enabled? -serge ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
