Quoting Martin Pitt ([email protected]): > Serge Hallyn [2014-07-31 17:57 +0000]: > > Quoting Martin Pitt ([email protected]): > > > On Ubuntu we need to set up the AppArmor profiles also under systemd. Add > > > a new > > > helper "lxc-apparmor-load" and integrate it into lxc.service. > > > --- > > > config/init/systemd/Makefile.am | 5 +++-- > > > config/init/systemd/lxc.service.in | 1 + > > > 2 files changed, 4 insertions(+), 2 deletions(-) > > > > Unfortunately you did not 'git add' the lxc-apparmor-load helper :) > > Argh, sorry about that. Fixed patch :) > > Martin > > --
Acked-by: Serge E. Hallyn <[email protected]> > Martin Pitt | http://www.piware.de > Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) > From b78db5f7858e82203429f708fedd39a7dd962d02 Mon Sep 17 00:00:00 2001 > From: Martin Pitt <[email protected]> > Date: Thu, 31 Jul 2014 08:06:15 +0200 > Subject: [PATCH 5/6] systemd: Load AppArmor profiles if necessary/supported > > On Ubuntu we need to set up the AppArmor profiles also under systemd. Add a > new > helper "lxc-apparmor-load" and integrate it into lxc.service. > --- > config/init/systemd/Makefile.am | 5 +++-- > config/init/systemd/lxc-apparmor-load | 14 ++++++++++++++ > config/init/systemd/lxc.service.in | 1 + > 3 files changed, 18 insertions(+), 2 deletions(-) > create mode 100755 config/init/systemd/lxc-apparmor-load > > diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am > index ed1e4ef..5959cd8 100644 > --- a/config/init/systemd/Makefile.am > +++ b/config/init/systemd/Makefile.am > @@ -1,5 +1,6 @@ > EXTRA_DIST = \ > lxc-devsetup \ > + lxc-apparmor-load \ > lxc.service.in \ > lxc-net.service.in \ > $(NULL) > @@ -15,7 +16,7 @@ lxc-autostart-helper: ../sysvinit/lxc.in > $(top_builddir)/config.status > mv $@-t $@ > BUILT_SOURCES = lxc-autostart-helper lxc.service lxc-net.service > > -install-systemd: lxc.service lxc-net.service lxc-devsetup > lxc-autostart-helper > +install-systemd: lxc.service lxc-net.service lxc-devsetup lxc-apparmor-load > lxc-autostart-helper > $(MKDIR_P) $(DESTDIR)$(SYSTEMD_UNIT_DIR) > $(INSTALL_DATA) lxc.service lxc-net.service > $(DESTDIR)$(SYSTEMD_UNIT_DIR)/ > > @@ -24,7 +25,7 @@ uninstall-systemd: > rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-net.service > rmdir $(DESTDIR)$(SYSTEMD_UNIT_DIR) || : > > -pkglibexec_SCRIPTS = lxc-devsetup lxc-autostart-helper > +pkglibexec_SCRIPTS = lxc-devsetup lxc-apparmor-load lxc-autostart-helper > > install-data-local: install-systemd > uninstall-local: uninstall-systemd > diff --git a/config/init/systemd/lxc-apparmor-load > b/config/init/systemd/lxc-apparmor-load > new file mode 100755 > index 0000000..4ac9496 > --- /dev/null > +++ b/config/init/systemd/lxc-apparmor-load > @@ -0,0 +1,14 @@ > +#!/bin/sh > +# lxc-apparmor-load: Load AppArmor profiles, if supported by the system > + > +set -eu > + > +# don't load profiles if mount mediation is not supported > +SYSF=/sys/kernel/security/apparmor/features/mount/mask > +if [ -f $SYSF ]; then > + if [ -x /lib/init/apparmor-profile-load ]; then > + /lib/init/apparmor-profile-load usr.bin.lxc-start > + /lib/init/apparmor-profile-load lxc-containers > + fi > +fi > + > diff --git a/config/init/systemd/lxc.service.in > b/config/init/systemd/lxc.service.in > index c7f2813..f64610f 100644 > --- a/config/init/systemd/lxc.service.in > +++ b/config/init/systemd/lxc.service.in > @@ -7,6 +7,7 @@ Wants=lxc-net.service > Type=oneshot > RemainAfterExit=yes > ExecStartPre=@LIBEXECDIR@/lxc/lxc-devsetup > +ExecStartPre=@LIBEXECDIR@/lxc/lxc-apparmor-load > ExecStart=@LIBEXECDIR@/lxc/lxc-autostart-helper start > ExecStop=@LIBEXECDIR@/lxc/lxc-autostart-helper stop > # Environment=BOOTUP=serial > -- > 2.0.1 > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
