Skip to content
This repository
Browse code

attach: handle apparmor transitions in !NEWNS cases

If we're not attaching to the mount ns , then don't enter the
container's apparmor policy.  Since we're running binaries from the host
and not the container, that actually seems the sane thing to do (besides
also the lazier thing).

If we dont' do this patch, then we will need to move the apparmor attach
past the procfs remount, will need to also mount securityfs if available,
and for the !remount_proc_sys case we'll want to mount those just long
enough to do the apparmor transition.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
  • Loading branch information...
commit 990d9d7c371d26021f14d25a62484776b1f14d32 1 parent 53a5409
Serge Hallyn authored stgraber committed

Showing 1 changed file with 5 additions and 3 deletions. Show diff stats Hide diff stats

  1. +5 3 src/lxc/lxc_attach.c
8 src/lxc/lxc_attach.c
@@ -376,9 +376,11 @@ int main(int argc, char *argv[])
376 376 lxc_sync_fini_parent(handler);
377 377 close(cgroup_ipc_sockets[1]);
378 378
379   - if (attach_apparmor(init_ctx->aa_profile) < 0) {
380   - ERROR("failed switching apparmor profiles");
381   - return -1;
  379 + if ((namespace_flags & CLONE_NEWNS)) {
  380 + if (attach_apparmor(init_ctx->aa_profile) < 0) {
  381 + ERROR("failed switching apparmor profiles");
  382 + return -1;
  383 + }
382 384 }
383 385
384 386 /* A description of the purpose of this functionality is

0 comments on commit 990d9d7

Please sign in to comment.
Something went wrong with that request. Please try again.