Re: [lxc-devel] [PATCH 1/1] apparmor: don't do on-exec profile changes

Sat, 22 Feb 2014 15:29:26 -0800 

On Fri, Feb 21, 2014 at 01:53:46PM -0600, Serge Hallyn wrote:
> always change profile immediately.  Otherwise there are weird
> corner cases where the profile change may not happen.
> 
> Signed-off-by: Serge Hallyn <[email protected]>

It may be a surprise for anyone not reading the function documentation,
but since it's not like we use those everyday, I guess that's fine.

Btw, one such case where this change is needed is on overlayfs where
on-exec profile change doesn't appear to work at all (kernel bug, though
a rather mysterious one...).

Acked-by: Stéphane Graber <[email protected]>

> ---
>  src/lxc/lsm/apparmor.c | 17 +++++------------
>  1 file changed, 5 insertions(+), 12 deletions(-)
> 
> diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> index 280c1ea..f4c8d26 100644
> --- a/src/lxc/lsm/apparmor.c
> +++ b/src/lxc/lsm/apparmor.c
> @@ -125,7 +125,7 @@ static int apparmor_am_unconfined(void)
>   *
>   * @label   : the profile to set
>   * @default : use the default profile if label is NULL
> - * @on_exec : the new profile will take effect on exec(2) not immediately
> + * @on_exec : this is ignored.  Apparmor profile will be changed immediately
>   *
>   * Returns 0 on success, < 0 on failure
>   *
> @@ -149,19 +149,12 @@ static int apparmor_process_label_set(const char 
> *label, int use_default,
>               return 0;
>       }
>  
> -     if (on_exec) {
> -             if (aa_change_onexec(label) < 0) {
> -                     SYSERROR("failed to change exec apparmor profile to 
> %s", label);
> -                     return -1;
> -             }
> -     } else {
> -             if (aa_change_profile(label) < 0) {
> -                     SYSERROR("failed to change apparmor profile to %s", 
> label);
> -                     return -1;
> -             }
> +     if (aa_change_profile(label) < 0) {
> +             SYSERROR("failed to change apparmor profile to %s", label);
> +             return -1;
>       }
>  
> -     INFO("changed apparmor%s profile to %s", on_exec ? " exec" : "", label);
> +     INFO("changed apparmor profile to %s", label);
>       return 0;
>  }
>  
> -- 
> 1.9.0
> 
> _______________________________________________
> lxc-devel mailing list
> [email protected]
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

Attachment: signature.asc
Description: Digital signature

_______________________________________________
lxc-devel mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to