On a system with AppArmor enabled, if lxc.se_context is configured but
lxc.aa_profile is not (because the user just wants to use the default
AppArmor profile) lxc was passing the lxc.se_context to be set as the
new AppArmor profile. Determine which configuration item to use based
on which lsm is enabled.
Signed-off-by: Dwight Engen <dwight.en...@oracle.com>
---
src/lxc/start.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 2bf417e..e46f3a0 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -488,6 +488,7 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf)
static int do_start(void *data)
{
struct lxc_handler *handler = data;
+ const char *lsm_label = NULL;
if (sigprocmask(SIG_SETMASK, &handler->oldmask, NULL)) {
SYSERROR("failed to set sigprocmask");
@@ -557,9 +558,11 @@ static int do_start(void *data)
return -1;
/* Set the label to change to when we exec(2) the container's init */
- if (lsm_process_label_set(handler->conf->lsm_aa_profile ?
- handler->conf->lsm_aa_profile :
- handler->conf->lsm_se_context, 1, 1) < 0)
+ if (!strcmp(lsm_name(), "AppArmor"))
+ lsm_label = handler->conf->lsm_aa_profile;
+ else if (!strcmp(lsm_name(), "SELinux"))
+ lsm_label = handler->conf->lsm_se_context;
+ if (lsm_process_label_set(lsm_label, 1, 1) < 0)
goto out_warn_father;
lsm_proc_unmount(handler->conf);
--
1.8.3.1
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
