proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-16 07:19:16 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

apparmor: support lxc.aa_profile = unchanged

Browse Source 
In which case lxc will not update the apparmor profile at all.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This commit is contained in:
Serge Hallyn 2015-11-25 20:45:08 +00:00 committed by Stéphane Graber
parent b035f79209
commit 480c876b20
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/lxc/lsm/apparmor.c
View File

@ -42,6 +42,7 @@ static int mount_features_enabled = 0;
#define AA_DEF_PROFILE "lxc-container-default" #define AA_DEF_PROFILE "lxc-container-default"
#define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask" #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
#define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled" #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
#define AA_UNCHANGED "unchanged"
static bool check_mount_feature_enabled(void) static bool check_mount_feature_enabled(void)
{ {
@ -156,6 +157,12 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
if (!aa_enabled) if (!aa_enabled)
return 0; return 0;
/* user may request that we just ignore apparmor */
if (label && strcmp(label, AA_UNCHANGED) == 0) {
INFO("apparmor profile unchanged per user request");
return 0;
}
if (!label) { if (!label) {
if (use_default) if (use_default)
label = AA_DEF_PROFILE; label = AA_DEF_PROFILE;