Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
cmd/snap-confine: don't use apparmor if it is disabled on boot #3243
Conversation
Some checks were not successful
zyga
requested a review
from
jdstrand
Apr 26, 2017
jdstrand
approved these changes
Apr 26, 2017
These changes are fine and should have been in place when SC_AA_NOT_APPLICABLE was first implemented. Ie, it is an obvious (in retrospect) bug that snap-confine is trying to change_onexec and change_hat when there is nothing it can change to.
Note, all the discussion on whether or not SC_AA_NOT_APPLICABLE should be a thing already happened in its PR and the decision was made that it is more important to fail open when apparmor is unavailable than to fail closed. This PR just goes along with the previous decision.
|
That said, it would be nice to see a test here to tack onto any tests for SC_AA_NOT_APPLICABLE. I won't block on that though. |
|
Looks good to me, but |
zyga commentedApr 26, 2017
If apparmor is not enabled (either in the kernel or on boot) then don't
try to use it, even if it is compiled into snap-confine.
Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com