From 603fd08406d10d924f7bb9ed57cb09ed237115db Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Sun, 21 Feb 2016 15:51:37 -0800
Subject: [PATCH] Apparmor: use lxc-default-cgns if cgns is enabled

Because containers need to - and safely can - mount cgroufs in that
case.

Note that if cgns is enabled but the unshare fails, we fail the container
start, so checking whether they are enabled is enough.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
 src/lxc/lsm/apparmor.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 6352e2c25..c0b2e340d 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -31,6 +31,7 @@
 #include "log.h"
 #include "lsm/lsm.h"
 #include "conf.h"
+#include "utils.h"
 
 lxc_log_define(lxc_apparmor, lxc);
 
@@ -40,6 +41,7 @@ static int aa_enabled = 0;
 static int mount_features_enabled = 0;
 
 #define AA_DEF_PROFILE "lxc-container-default"
+#define AA_DEF_PROFILE_CGNS "lxc-container-default-cgns"
 #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
 #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
 #define AA_UNCHANGED "unchanged"
@@ -202,8 +204,12 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 	free(curlabel);
 
 	if (!label) {
-		if (use_default)
-			label = AA_DEF_PROFILE;
+		if (use_default) {
+			if (cgns_supported())
+				label = AA_DEF_PROFILE_CGNS;
+			else
+				label = AA_DEF_PROFILE;
+		}
 		else
 			label = "unconfined";
 	}