Re: [lxc-devel] [PATCH] apparmor: cache the are-we-enabled decision

Wed, 23 Oct 2013 18:55:08 -0700 

On Wed, Oct 23, 2013 at 08:54:13PM -0500, Serge Hallyn wrote:
> Since we check /sys/kernel/security/ files when deciding whether
> apparmor is enabled, and that might not be mounted in the container,
> we cannot re-make the decision at apparmor_process_label_set() time.
> Luckily we don't have to - just cache the decision made at
> lsm_apparmor_drv_init().
> 
> Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>

Acked-by: Stéphane Graber <stgra...@ubuntu.com>

> ---
>  src/lxc/lsm/apparmor.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> index cf8020d..aaf8056 100644
> --- a/src/lxc/lsm/apparmor.c
> +++ b/src/lxc/lsm/apparmor.c
> @@ -32,6 +32,9 @@
>  
>  lxc_log_define(lxc_apparmor, lxc);
>  
> +/* set by lsm_apparmor_drv_init if true */
> +static int aa_enabled = 0;
> +
>  #define AA_DEF_PROFILE "lxc-container-default"
>  #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
>  #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
> @@ -139,7 +142,7 @@ static int apparmor_am_unconfined(void)
>  static int apparmor_process_label_set(const char *label, int use_default,
>                                     int on_exec)
>  {
> -     if (!apparmor_enabled())
> +     if (!aa_enabled)
>               return 0;
>  
>       if (!label) {
> @@ -181,5 +184,6 @@ struct lsm_drv *lsm_apparmor_drv_init(void)
>  {
>       if (!apparmor_enabled())
>               return NULL;
> +     aa_enabled = 1;
>       return &apparmor_drv;
>  }
> -- 
> 1.8.1.2
> 
> 
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

Attachment: signature.asc
Description: Digital signature

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Reply via email to