apparmor: support lxc.aa_profile = unchanged

In which case lxc will not update the apparmor profile at all. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: support lxc.aa_profile = unchanged
480c876b · Serge Hallyn · Stéphane Graber · b035f792 · 480c876b
Commit 480c876b authored Nov 25, 2015 by Serge Hallyn Committed by Stéphane Graber Dec 03, 2015
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

apparmor.c src/lxc/lsm/apparmor.c +7 -0

No files found.
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -42,6 +42,7 @@ static int mount_features_enabled = 0;
 #define AA_DEF_PROFILE "lxc-container-default"
 #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
 #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
+#define AA_UNCHANGED "unchanged"
 static bool check_mount_feature_enabled(void)
 {
@@ -156,6 +157,12 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 	if (!aa_enabled)
 		return 0;
+	/* user may request that we just ignore apparmor */
+	if (label && strcmp(label, AA_UNCHANGED) == 0) {
+		INFO("apparmor profile unchanged per user request");
+		return 0;
+	}
 	if (!label) {
 		if (use_default)
 			label = AA_DEF_PROFILE;