proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-07-27 11:13:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Apparmor: use lxc-default-cgns if cgns is enabled

Browse Source 
Because containers need to - and safely can - mount cgroufs in that
case.

Note that if cgns is enabled but the unshare fails, we fail the container
start, so checking whether they are enabled is enough.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This commit is contained in:
Serge Hallyn 2016-02-21 15:51:37 -08:00
parent dc76ac7ab5
commit 603fd08406
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/lxc/lsm/apparmor.c
View File

@ -31,6 +31,7 @@
#include "log.h"
#include "lsm/lsm.h"
#include "conf.h"
#include "utils.h"
lxc_log_define(lxc_apparmor, lxc);
@ -40,6 +41,7 @@ static int aa_enabled = 0;
static int mount_features_enabled = 0;
#define AA_DEF_PROFILE "lxc-container-default"
#define AA_DEF_PROFILE_CGNS "lxc-container-default-cgns"
#define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
#define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
#define AA_UNCHANGED "unchanged"
@ -202,8 +204,12 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
free(curlabel);
if (!label) {
if (use_default)
label = AA_DEF_PROFILE;
if (use_default) {
if (cgns_supported())
label = AA_DEF_PROFILE_CGNS;
else
label = AA_DEF_PROFILE;
}
else
label = "unconfined";
}