On Fri, 18 Oct 2013 11:14:07 -0500 Serge Hallyn <serge.hal...@ubuntu.com> wrote:
> Quoting Dwight Engen (dwight.en...@oracle.com): > > diff --git a/src/lxc/start.c b/src/lxc/start.c > > index 7538403..2bf417e 100644 > > --- a/src/lxc/start.c > > +++ b/src/lxc/start.c > > @@ -556,14 +556,10 @@ static int do_start(void *data) > > if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP)) > > return -1; > > > > - /* XXX: hmm apparmor switches right away since it uses > > - * aa_change_profile() and not aa_change_onexec(). SELinux > > on the other > > - * hand is going to transition on exec(). Is it bad to run > > the stuff > > - * between here and exec() in the more privileged context? > > - */ > > + /* Set the label to change to when we exec(2) the > > container's init */ if > > (lsm_process_label_set(handler->conf->lsm_aa_profile ? > > handler->conf->lsm_aa_profile : > > - handler->conf->lsm_se_context, > > 1) < 0) > > + handler->conf->lsm_se_context, > > 1, 1) < 0) goto out_warn_father; > > lsm_proc_unmount(handler->conf); > > Hi, > > This isn't urgent, but it is an issue I noticed yesterday (in your > original patch, not in this patch). The original behavior for > apparmor was that if aa_profile was not specified, then the default > would be used. With this here, if someone leaves lxc.aa_profile > unset to get the default, has lxc.se_context set, and starts the > container on an apparmor system, then the startup will fail bc it > will try to set the se_context as the aa_profile. Yeah, I had not considered having both on at the same time, nor have se_context set on an AppArmor system. > I guess the simplest way to fix this would be to check drv here and > pass in the right context based on which drv is enabled? Yep, following is a patch to do that on top of the lsm_name() thing. > -serge ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
