proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-16 04:04:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

apparmor: don't do on-exec profile changes

Browse Source 
always change profile immediately.  Otherwise there are weird
corner cases where the profile change may not happen.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This commit is contained in:
Serge Hallyn 2014-02-21 13:53:46 -06:00 committed by Stéphane Graber
parent 223b1e0c87
commit b2fe91c7d4
1 changed files with 5 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/lxc/lsm/apparmor.c
View File

@ -125,7 +125,7 @@ static int apparmor_am_unconfined(void)
*
* @label : the profile to set
* @default : use the default profile if label is NULL
* @on_exec : the new profile will take effect on exec(2) not immediately
* @on_exec : this is ignored. Apparmor profile will be changed immediately
*
* Returns 0 on success, < 0 on failure
*
@ -149,19 +149,12 @@ static int apparmor_process_label_set(const char *label, int use_default,
return 0;
}
if (on_exec) {
if (aa_change_onexec(label) < 0) {
SYSERROR("failed to change exec apparmor profile to %s", label);
return -1;
}
} else {
if (aa_change_profile(label) < 0) {
SYSERROR("failed to change apparmor profile to %s", label);
return -1;
}
if (aa_change_profile(label) < 0) {
SYSERROR("failed to change apparmor profile to %s", label);
return -1;
}
INFO("changed apparmor%s profile to %s", on_exec ? " exec" : "", label);
INFO("changed apparmor profile to %s", label);
return 0;
}